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is  substantially  different  from  legacy  standards  and  justifies  reexamination  on  a 
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channels  are  examined  at  the  medium-access  (MAC)  and  the  physical  (PHY) 
layers  with  proposed  attack  vectors.  Methodologies  are  proposed  to  overcome 
challenges  in  terms  of  the  timing  and  power  associated  with  manipulating  control 
channels. 
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multiple-input  multiple-output  (MIMO)  disruption,  network-entry  disruption,  and 
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are  also  discussed,  including  transmission  power  manipulation,  entry  procedure 
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EXECUTIVE  SUMMARY 


Introduction.  Worldwide  Interoperability  for  Microwave  Access  (WiMAX)  is  a 
next-generation  wireless  data-communications  standard  poised  to  dominate 
mobile  data  connectivity  in  the  commercial  and  military  arenas.  However,  the 
security  and  robustness  of  the  commercial  standard  need  to  be  examined  and 
risks  mitigated  before  they  can  be  considered  for  military  applications.  At  the 
same  time,  with  the  proliferation  of  WiMAX  networks  worldwide,  the  ability  to 
exploit  or  disrupt  operations  can  be  of  operational  worth. 

Related  Works.  Much  work  has  been  accomplished  to  evaluate  security 
concerns  and  vulnerabilities  within  the  IEEE  802.16  standards.  The  majority  of 
works  reviewed,  including  [1],  [2],  [3],  [4],  [5],  [6]  and  [7],  exploited  WiMAX  Media 
Access  Control  (MAC)  management/control  messages  that  were  not 
authenticated  or  encrypted,  giving  rise  to  man-in-the-middle  attack  vulnerabilities. 

The  release  of  IEEE  802.16m-2011  saw  a  substantially  revised  MAC  and 
physical  (PHY)  layers  in  the  form  of  the  advanced  air  interface  (AAI),  which 
essentially  can  be  likened  to  a  new  standard  built  to  run  in  harmony  with  previous 
legacy  standards.  This  fundamentally  new  interface  warrants  a  fresh  examination 
for  vulnerabilities,  and  Blair  [8]  performed  such  an  examination.  He  highlighted 
vulnerabilities  related  to  the  lack  of  authentication  for  ranging  and  capability 
negotiation  messages,  which  are  exchanged  prior  to  execution  of  the 
authentication  process.  An  attacker  can  spoof  a  ranging  response  message  with 
abort  flag  set  to  deny  entry  to  mobile  stations  (MSs).  Alternatively,  capability 
negotiation  messages  can  be  altered  to  cause  a  low  security  connection  to  be 
formed  to  compromise  data  sent  during  the  session. 

In  this  thesis,  methods  of  manipulating  the  WiMAX  control  channel  for 
both  IEEE  802.16m-201 1  and  the  legacy  IEEE  802.16-2009  are  explored. 


MAC  Management  Messages.  MAC  management  messages  are  a  key 
part  of  WiMAX  control  channels  and  are  secured  by  two  types  of  protection.  The 
integrity  check  value  (ICV)  affords  complete  protection,  including  confidentiality, 
integrity,  and  authenticity,  first  introduced  with  IEEE  802.16m-201 1 .  Cypher- 
based  message  authentication  code  (CMAC)  and  hashed  message 
authentication  code  (HMAC)  provides  authenticity  and  integrity  protection  but  no 
encryption.  For  these  to  be  used,  a  security  association  needs  to  be  established, 
which  includes  authentication  as  well  as  key  exchange.  While  ICV  and 
CMAC/HMAC  were  extended  to  more  and  more  control  messages  over  the 
years,  there  are  still  messages  that  remain  unprotected. 

Spoofing  and  Injection  of  Control  Messages.  Most  vulnerabilities 
involve  an  intruding  station  (IS)  spoofing  false  MAC  management  messages  at 
the  ABS  or  an  AMS.  In  contention-based  wireless  standards  such  as  IEEE 
802.11  (Wifi),  knowing  the  frequency  as  well  as  key  parameters  is  sufficient  for 
an  attacker  to  start  injecting  messages.  The  time-division  multiple  access 
(TDMA)  and  orthogonal  frequency-division  multiplexing  (OFDMA)  nature  of 
WiMAX  means  that,  on  top  of  knowing  normal  parameters,  transmitting  on  the 
correct  sub-carriers  and  at  the  correct  timing  is  also  crucial.  Most  literature 
discusses  vulnerabilities  of  MAC  management  messages  assuming  they  can  be 
injected  successfully  without  discussing  details.  Boom  correctly  identified  that  the 
single  biggest  challenge  in  mounting  attacks  on  TDMA  systems  is  timing  [9], 

The  challenges  and  proposed  solutions  for  injecting  MAC  management 
messages,  both  at  advanced  base  stations  (ABSs)  and  advanced  mobile  stations 
(AMSs),  are  examined  in  detail  in  this  thesis.  The  attacker  will  first  need  to  attain 
downlink  synchronization  by  detecting  and  decoding  preambles.  The  connection 
identifiers  (CID)  of  targeted  AMS  need  to  be  acquired  by  listening  to  the  AMS 
when  it  joins  the  network.  The  downlink  medium  access  protocol  (DL-MAP)  and 
uplink  medium  access  protocol  (UL-MAP),  which  contain  resource  allocations  for 
each  frame,  need  to  be  decoded.  The  attacker  can  then  know  when  and  which 
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sub-carriers  to  inject  the  formulated  messages.  IEEE802.16m-201 1  scrambles 
assignment  MAPs  for  unicast  messages,  leaving  only  broadcast  messages  that 
can  be  located  and  exploited. 

Several  different  scenarios  exist,  depending  on  whether  we  are  injecting 
on  the  uplink  (to  the  BS)  or  the  downlink  (to  the  MS)  and  whether  location  of  the 
subject  is  known.  The  timing  for  injected  messages  needs  to  be  referenced  to  the 
ABS,  which  means  propagation  delay  from  the  attacker  to  the  subject  (including 
their  relative  positions)  needs  to  be  factored  in,  and  transmission  timing 
advanced  or  retarded  if  necessary.  If  the  subject’s  precise  location  is  known, 
timing  and  power  adjustments  can  be  estimated  from  the  distances  among  the 
attacker,  BS,  and  MS.  If  the  location  of  the  MS  that  we  plan  to  inject  messages 
into  is  unknown,  we  can  attempt  transmission  of  an  injected  message  over 
multiple  attempts  over  a  selected  range  bounded  by  the  cell’s  dimension  until  the 
transmission  commencement  falls  within  the  guard  interval  window.  If  injecting 
into  an  uplink,  the  attacker  can  use  the  initial  ranging  process  to  obtain  the 
precise  timing,  frequency,  and  power  adjustments  required  to  obtain  a  nominal 
signal  at  the  BS. 

As  the  formulated  signal  needs  to  overcome  a  real  signal,  the  power 
incident  upon  the  subject  needs  to  be  sufficiently  higher.  The  attacker’s 
transmission  power  is  thus  targeted  to  be  higher  than  the  nominal  signal  by  the 
signal-to-noise  ratio  (SNR)  requirement  for  the  modulation  scheme. 

Formulated  message  need  to  take  the  effects  of  automatic  repeat  request 
(ARQ)  into  consideration,  incorporating  sequence  numbers  as  well  as  being 
longer  than  a  ARQ  block  to  ensure  that  the  cyclic  redundancy  check  (CRC)  test 
passes  and  the  message  is  accepted. 

The  position  uncertainty  of  the  MS,  BS,  and  attacker  and  the 
corresponding  variations  in  propagation  delay  were  analyzed  against  the  guard 
interval  (Gl)  between  OFDM  symbols.  It  was  found  that  the  guard  interval  is  more 
than  sufficient  to  handle  uncertainties  foreseen. 
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Power  Related  Attacks  on  IEEE  802.16m-2011.  Having  proposed  the 
means  to  inject  MAC  management  messages,  we  proceed  to  discuss  a  class  of 
attack  that  involves  injecting  messages  to  manipulate  the  uplink  power  control  of 
AMSs.  One  possibility  of  attacking  uplink  power  management  is  to  inject  an 
uplink  noise  and  interference  level  broadcast  (AAI-ULPC-NI)  message  with  a  low 
or  high  noise  and  interference  (Nl)  value.  If  a  low  value  is  injected,  the  AMS 
transmission  power  drops  and  its  bit  error  rate  increases — or  reception  may  be 
eliminated  altogether.  If  a  high  Nl  value  is  injected,  the  high  signal  strength  may 
increase  interference  for  cells  in  the  vicinity  using  the  same  frequencies.  AAI- 
ULPC-NI  is  a  broadcast  message,  and  all  AMSs  within  the  cell  served  by  the 
ABS  can  be  affected.  Although  all  AMSs  can  potentially  be  affected,  timing 
adjustment  from  attacker  to  individual  AMSs  also  needs  to  be  correct  for  the 
AMS  to  take  in  the  broadcast  correctly. 

In  another  possibility  for  attacking  uplink  power  management,  the  SINRtgt 
parameter  might  be  manipulated  by  spoofing  a  system  configuration  descriptor 
(AAI-SCD)  message  with  amended  “dataSinrMin”,  “gammalotFpx”  and  “alpha” 
parameters. 

Other  Attacks  on  IEEE  802.16m-2011.  Multiple  input  multiple  output 
(Ml MO)  parameters  can  be  doctored  to  disrupt  network  operations.  By  spoofing 
the  AAI-SCD  message  with  a  false  "Alpha"  parameter  (which  indicates  the 
number  of  receive  antennas),  an  AMS  attempting  to  join  a  network  can  possibly 
be  confused  as  to  the  actual  number  of  receive  antennas  on  the  ABS  and  adopt 
the  wrong  MIMO  scheme  as  well  as  the  wrong  parameters  and  codes,  disrupting 
communications.  Another  attack  vector  involves  spoofing  the  AAI-SBC-REQ 
message  during  initial  network  entry,  indicating  lower  or  erroneous  MIMO 
parameters.  Alternatively,  an  AAI-SBC-RSP  management  message  can  be 
spoofed  with  MIMO  settings  that  do  not  match  those  requested  by  AMS.  As  a 
result,  a  mismatch  in  parameters  between  ABS  and  AMS  can  arise  that  can 
disrupt  communications. 
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The  ABS  can  be  flooded  to  deny  service  to  legitimate  AMSs.  Repeated 
transmission  of  AAI-RNG-REQ  messages  can  tie  up  ABS  resources  and  deny 
entry  for  legitimate  AMSs.  During  network  entry,  by  injecting  AAI-RES-CMD 
before  security  association  is  formed  by  the  targeted  AMS,  an  attacker  can  cause 
the  AMS  to  abort  the  process  and  reset  its  MAC. 

An  AMS  in  sleep  mode  to  conserve  battery  power  can  be  forced  to  be 
awake  longer  than  necessary  by  an  attacker  spoofing  AAI-TRF-IND,  thus, 
draining  its  battery  faster.  This  vulnerability  has  been  identified  in  legacy  systems 
in  [2],  [4],  and  [5]  and  is  verified  as  still  present  within  IEEE  802.16m-201 1 . 
Alternatively,  AMSs  in  idle  mode  to  conserve  power  can  be  forced  to  join  a 
network  by  an  attacker  spoofing  AAI-PAG-ADV,  also  draining  its  battery  faster. 

An  AAI-RNG-ACK  message  can  be  spoofed  with  incorrect  timing, 
frequency,  and  power  adjustments  to  disrupt  network  entry. 

Blair  proposed  spoofing  AAI-SBC-REQ  with  a  low  or  nil  encryption/ 
decryption  capability  class  [8],  Alternatively,  an  attacker  can  issue  an  AAI_SBC- 
RSP  management  message  with  capability  classes  that  do  not  match  those 
requested  by  the  AMS. 

An  attacker  can  spoof  AAI-NBR-ADV  with  a  nonexistent  BS  or  by  falsely 
reporting  poor  characteristics  of  neighboring  BSs  to  hamper  MSs  from  initiating 
handover  to  a  BS  with  better  characteristics.  This  vulnerability  was  identified  for 
the  legacy  standard  [2,  5]  and  was  found  to  still  exist  in  IEEE  802.16m. 

An  AAI-LBS-ADV  message  can  be  spoofed  with  wrong  latitude  and 
longitude  coordinates  for  the  serving  and  neighboring  ABSs  to  confuse  an  AMS 
as  to  its  own  location  and  degrade  its  GPS  receiver’s  performance. 
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Attacks  on  Legacy  Systems.  An  AAS_Beam_Select  message  can  be 
spoofed  to  inform  the  BS  of  a  preferred  beam  radically  different  from  that 
previously  selected  to  disrupt  communications. 

By  spoofing  an  FPC  message,  the  attacker  can  reduce  or  increase  the  MS 
transmission  power  over  a  range  of  +32  dB  to  -32dB,  in  steps  of  0.25  dB  [5], 

All  ARQ  messages  are  unprotected  and  can  be  leveraged  to  disrupt 
communications.  ARQ-Reset,  ARQ-Discard,  and  ARQ  Feedback  can  be  spoofed 
to  misalign  ARQ  sequences  between  the  BS  and  MS.  The  vulnerability  of  ARQ- 
Reset  is  identified  in  previous  literature  [3], 

PRC-LT-CTRL  message  can  be  spoofed  to  turn  on/off  long-term  MIMO 
precoding  with  feedback  and  to  change  precoding  application  delay  with  the 
objective  of  causing  a  mismatch  between  the  BS  and  MS,  disrupting 
communications. 

The  BS  can  be  flooded  to  deny  service  to  legitimate  MSs.  Repeated 
transmission  of  RNG-REQ  messages  can  tie  up  ABS  resources  and  deny  entry 
for  legitimate  MSs.  During  network  entry  by  victim  AMSs,  by  injecting  RES-CMD 
before  the  security  association  is  formed,  an  attacker  can  cause  the  MS  to  abort 
the  process  and  reset  its  MAC. 

MSs  in  sleep  mode  can  be  forced  to  wake  up  sooner  than  necessary, 
thus  draining  their  battery  faster  by  spoofing  MOB-TRF-IND  [2],  [4],  and  [5],  As 
for  MSs  in  idle  mode,  they  can  be  forced  to  join  a  network  by  an  attacker’s 
spoofing  MOB-PAG-ADV  to  drain  the  battery. 

An  attacker  can  spoof  MOB-NBR-ADV  with  a  nonexistent  BS  or  by  falsely 
reporting  poor  characteristics  of  neighboring  BSs  to  hamper  MSs  from  initiating 
handover  to  a  BS  with  better  characteristics  [4,  5], 

The  UCD,  DCD,  UL-MAP,  and  DL-MAP  together  serve  to  define  the  UL 
and  DL  channels.  Modification  or  scrambling  of  these  unprotected  management 
messages  will  result  in  disruption  of  communications. 
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An  attacker  can  spoof  DBPC-REQ  to  request  a  BS  to  change  its 
communication  profile  to  one  with  a  higher  data  rate  but  less  robustness,  i.e.,  a 
profile  unsuitable  for  prevailing  channel  conditions.  This  can  result  in  high  error 
rates,  disrupting  communications  [5], 

An  attacker  may  spoof  CLK-CMP  messages  to  misalign  MS/BS  clocks. 

Conclusion.  While  IEEE  802.16-2009  offered  significant  improvements 
over  its  predecessors,  a  number  of  control  messages  still  remain  unauthenticated 
and  unencrypted.  In  addition  to  the  vulnerabilities  identified  in  the  literature, 
twelve  attack  vectors  using  control  messages  are  proposed  in  this  thesis. 

IEEE  802.16m-2011  is  a  significant  revision  (with  a  new  set  of  control 
messages),  structurally  enhanced  to  increase  privacy  and  raise  barriers  to 
attacks  while  maintaining  backward  compatibility  with  legacy  standards.  By 
introducing  encryption  for  some  control  messages,  the  new  standard  reduces  the 
exposure  of  system  operating  information  that  may  be  used  against  it.  More 
significantly,  by  scrambling  the  advanced  medium  access  protocol  (A-MAP) 
using  secret  initial  vectors  exchanged  securely  during  security  negotiations  upon 
network  entry,  the  passive  listener  will  have  difficulty  identifying  how  radio 
resources  are  allocated  or  destination  and  originator  AMS.  This  effectively 
prevents  exploitation  of  all  unicast  control  messages  and  enhances  privacy. 
Nonetheless,  broadcast  control  messages  are  still  open  to  exploitation,  and  a 
significant  number  of  vulnerabilities  in  IEEE  802.16-2009  still  exist  in  this 
revision.  In  addition  to  the  vulnerabilities  identified  in  the  literature,  thirteen  attack 
vectors  using  control  messages  are  proposed  in  this  thesis. 
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I.  INTRODUCTION 


A.  BACKGROUND 

The  last  three  decades  saw  phenomenal  growth  in  terms  of  information 
technology,  and,  in  tandem,  telecommunications  and  networks.  In  this 
information  age,  the  generation,  processing,  distribution,  and  consumption  of 
information  drives  numerous  aspects  of  warfare,  business,  and  everyday  life.  The 
proliferation  of  the  Internet’s  reach  and  the  explosion  of  online  content  has  driven 
demand  for  mobile  data  communications.  On  the  commercial  front,  we  have  seen 
tremendous  leaps  from  low-speed,  low-mobility  capabilities  to  third-generation 
broadband,  with  market  penetration  outstripping  that  of  landline  phones  in  many 
countries. 

Worldwide  Interoperability  for  Microwave  Access  (WiMAX)  is  a  next- 
generation,  wireless  data-communications  standard  poised  to  dominate  mobile 
data  connectivity  in  the  commercial  and  military  arenas.  Numerous  WiMAX 
networks  are  deployed  worldwide  (see  Figure  1).  WiMAX  Forum  states  that 
WiMAX  subscriptions  exceeded  20  million  in  2011,  with  more  than  $502  million 
spent  on  WiMAX  equipment  in  Quarter  1  of  2011  alone  [1],  Meanwhile, 
population  coverage  has  broken  through  the  800  million  mark  (see  Figure  2)  and 
is  fast  approaching  a  billion  [2], 

On  the  military  front,  developments  in  network-centric  warfare,  unmanned 
vehicles,  and  sensor  networks  have  driven  the  capability  development  and 
bandwidth  requirements  of  mobile-data  connectivity.  Cost  and  budgetary 
pressures  in  the  developed  world  have  caused  defense  budgets  to  be  pared  and 
militaries  to  leverage  commercial  technologies  more  and  more,  resulting  in  shifts 
to  commercial,  off-the-shelf  (COTS)  technologies,  including  in  wireless  networks. 
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Figure  1 .  Pictorial  representation  of  WiMAX  deployments  (From  [3]). 
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Figure  2.  Population  coverage  of  WiMAX  deployments  [2], 
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However,  the  security  and  robustness  of  the  commercial  standard  must  be 
examined  and  the  risks  understood  and  mitigated  before  it  can  be  considered  for 
military  applications.  At  the  same  time,  with  the  proliferation  of  WiMAX  networks 
worldwide,  the  ability  to  exploit  or  disrupt  operations  can  be  of  operational  value. 

B.  WIMAX  STANDARD  DEVELOPMENT 

The  IEEE  802.16  group  of  standards  had  its  beginnings  in  1998,  when  a 
group  was  formed  to  develop  the  fourth  generation  of  air-interface  standards  for 
wireless  broadband.  The  initial  standard  had  a  single-carrier,  physical  layer 
operating  from  10  GHz  -  66  GHz  for  line-of-sight  (LOS)  operations,  with  many 
MAC-layer  concepts  adapted  from  the  cable  modem  DOCSIS  (data  over  cable 
service  interface  specifications)  standard. 

Orthogonal  frequency-division  multiplexing  (OFDM)  was  subsequently 
incorporated  to  mitigate  multipath  fading,  and  operating  frequencies  of  2-1 1  GHz 
were  adopted  to  enable  near  line-of-sight  (NLOS)  operations  instead  of  LOS. 

Orthogonal  frequency-division  multiple  access  (OFDMA)  was  another  key 
feature  adopted  later,  resulting  in  IEEE  802.16-2004,  which,  forming  the  first 
baseline  standard,  superseded  all  previous  versions.  Up  to  this  point,  all 
standards  were  designed  for  fixed  or  nomadic  applications.  IEEE  802. 16e  was 
developed  and  released  in  2005,  providing  support  for  mobile  nodes  and 
incorporating  new  security  features. 

The  next  key  milestone  was  IEEE  802.16-2009,  which  includes  important 
enhancements  such  as  support  for  20  MHz  bandwidth,  improved  multi-antenna 
transmission  and  processing  schemes,  and  enhanced  multicast,  broadcast,  and 
location-based  services.  Within  IEEE  802.16m-201 1,  the  advanced  air  interface 
(AAI)  was  developed  to  meet  the  requirements  of  ITU-R/IMT-Advanced  for  4G 
systems.  Relying  on  available  bandwidth  and  multi-antenna  mode,  IEEE 
802.16m  systems  are  now  capable  of  over-the-air  transfer  rates  in  excess  of 
1  Gbit/sec  while  maintaining  interoperability  with  legacy  equipment  built  to 
preceding  standards. 
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C.  RELATED  WORK 

Much  work  has  been  accomplished  to  evaluate  security  concerns  and 
vulnerabilities  within  IEEE  802.16  standards.  Some  of  these  concerns  are 
discussed  in  the  following  subsections. 

1.  Lack  of  Encryption  and/or  Authentication  for  MAC 
Management/  Control  Messages 

The  vast  majority  of  works  reviewed,  including  [4],  [5],  [6],  [7],  [8],  [9]  and 
[10],  exploited  WiMAX  MAC  management/control  messages  that  were  not 
authenticated  or  encrypted,  giving  rise  to  man-in-the-middle  attack  vulnerabilities. 

Han  et  al.  in  [5]  as  well  as  Rahman  et  al.  in  [10]  exploited  the  fact  that 
even  with  newer  versions  of  legacy  WiMAX  (up  to  IEEE  802.16-2009),  which 
offered  authentication  for  selected  management  messages,  the  initial  ranging 
process  (part  of  the  network  entry  process)  was  not  protected.  Hence,  an 
attacker  could  modify  management  messages  and  force  a  low  security 
configuration  for  the  network  session.  Similar  vulnerabilities  also  provided 
avenues  for  an  attacker  to  modify  unprotected  messages  to  trigger  an  abortion  of 
the  ranging  process,  hence  aborting  network  entry.  Lack  of  authentication  of 
sleep  mode  messages  was  also  exploited  to  trigger  mobile  stations  to  enter  sleep 
mode. 

Bakthavathsalu  et  al.  in  [6]  leveraged  similar  weaknesses  to  spoof 
unprotected  messages  within  network  entry  authentication  processes  to  force 
MSs  entering  the  network  into  authorization  wait  states,  disrupting  network  entry 
processes.  Even  after  network  entry,  unauthenticated  ARQ  messages  could  also 
be  spoofed  to  reset  ARQ  sequence  numbers  at  MSs,  disrupting  communications. 

Taha  et  al.  in  [7],  as  well  as  Andreas  in  [8],  highlighted  the  same  lack  of 
authentication,  which  can  lead  to  water-torture  attacks  in  which  sleeping  MSs  are 
forced  to  wake  up  by  an  attacker  injecting  traffic  indication  messages,  indicating 
the  presence  of  messages  awaiting  the  sleeping  MS.  In  addition,  attackers  could 
falsify  neighbor  advertisement  messages  to  disrupt  the  handover  process. 
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Deininger  et  al.  in  [8]  went  on  to  discuss  related  security  weaknesses  valid 
for  IEEE  802.16-2009  and  earlier.  The  fast  power  control  message  (FPC)  can  be 
altered  to  increase  or  decrease  the  power  of  MSs.  Messages  can  be  spoofed  to 
remove  MSs  from  multi-cast  polling  groups.  An  MS  can  also  be  force  into  a 
downlink  burst  profile  not  suitable  for  its  operating  environment,  adversely 
affecting  error  rates  and  throughput.  Power  control  mode  can  also  be 
manipulated. 

2.  Weakness  of  Symmetrical  Keys  for  Multicast/Broadcast 

Deininger  et  al.  in  [8]  also  discuss  the  inherent  weakness  of  using 
symmetrical  keys  for  multicast  and  broadcast.  For  practical  considerations  and 
efficiency,  the  same  set  of  symmetrical  keys  is  used  for  all  BSs  and  MSs  for 
encryption  and  decryption  of  multicast  and  broadcast  traffic.  However,  this 
means  that  if  one  node  is  compromised,  all  multicast  and  broadcast  traffic  is 
compromised. 

3.  Weakness  in  Encryption  Algorithm 

According  to  [4],  IEEE  802.16-2004  supports  only  the  data  encryption 
standard  (DES),  for  which  weaknesses  have  been  uncovered  and  which  is 
deemed  less  secure.  IEEE  802.16e-2005  includes  support  for  the  advanced 
encryption  standard  (AES),  which  resolved  this  issue,  and,  for  the  time  being,  is 
deemed  secure  enough  for  the  federal  government  to  use  to  protect  sensitive 
data. 


4.  Progressive  Elimination  of  Security  Gaps 

The  persistent  and  good  work  of  the  above  researchers  prompted  review 
of  and  incremental  improvements  in  protection  for  later  versions  of  the  standard 
through  selective  introduction  of  authentication  for  management  messages. 
Thus,  some  of  the  vulnerabilities  seen  in  the  past  have  been  removed  in 
revisions  of  WiMAX. 
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5.  New  AAI  Interface  for  IEEE  802.16m  Warrants  Fresh 
Vulnerability  Assessment  on  a  Clean  Slate 

The  release  of  IEEE  802.16m-2011  saw  a  substantially  revised  MAC  and 
PHY  in  the  form  of  the  advanced  air  interface  (AAI),  which  can  be  likened  to  a 
new  standard  built  to  run  in  harmony  with  previous  legacy  standards.  This 
fundamentally  new  interface  warrants  a  fresh  examination  for  vulnerabilities,  and 
Blair  [11]  performed  such  an  examination.  He  highlighted  vulnerabilities  related  to 
the  lack  of  authentication  for  ranging  and  capability  negotiation  messages  that 
are  exchanged  before  execution  of  the  authentication  process.  An  attacker  could 
spoof  ranging  response  messages  with  the  abort  flag  set  to  deny  entry  to  MSs. 
Alternatively,  capability  negotiation  messages  could  be  altered  to  cause  a  low 
security  connection  to  be  formed  to  compromise  data  sent  during  the  session. 

D.  RESEARCH  OBJECTIVE 

This  project  involves  exploring  methods  of  hacking  into  and  manipulating 
the  WiMAX  control  channel.  This  thesis  research  can  serve  as  a  starting  point  to 
protect,  as  well  as  to  exploit,  protocol  weaknesses  in  WiMAX,  thus  opening 
exploitation  space. 

E.  RESEARCH  SCOPE 

The  focus  of  this  research  is  on  IEEE  802.1 6m-201 1 ,  which,  besides 
offering  advanced  capabilities,  extends  support  for  all  legacy  standards. 
Coverage  on  the  legacy  standard  IEEE  802.16-2009  is  included  when  relevant 
and  appropriate. 

The  system  boundary  is  set  at  interactions  within  a  cell  supported  by  an 
advanced  base  station  and  its  sectors  where  applicable.  For  the  purposes  of  this 
research,  we  limit  ourselves  to  the  time-division  duplexing  (TDD)  configuration  for 
WiMAX  deployment,  as  this  is  by  far  the  most  popular  configuration  deployed. 
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F.  ORGANIZATION 

A  brief  overview  of  the  IEEE  802.16m-2011  and  IEEE  802.16-2009  are 
presented  in  Chapter  II  to  form  a  foundation  for  later  material.  Protection 
schemes  in  WiMAX  for  control  messages  and  the  extent  of  their  coverage  are 
introduced  in  Chapter  III.  Investigation  efforts  are  thus  focused  on  unprotected 
messages.  In  Chapter  IV,  the  methodology  for  spoofing  control  messages  within 
a  challenging  time-division  multiple  access  (TDMA)  regime  is  proposed.  With  the 
target  and  tools  identified,  previously  identified  attack  vectors  for  IEEE  802.16m- 
2011  and  legacy  standards  are  discussed  and  new  attack  vectors  are  proposed 
in  Chapter  V.  Conclusions  and  suggested  future  work  are  presented  in  Chapter 
VI. 
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II.  IEEE  802.1 6M-2011  -  ADVANCED  AIR  INTERFACE 


An  overview  of  the  IEEE  802.16m-2011  standard  is  presented  in  this 
chapter  to  form  a  basis  for  discussion  in  subsequent  chapters.  Emphasis  is 
placed  on  concepts  relevant  to  this  research  topic.  An  overview  is  first  provided 
with  reference  model  and  state  diagrams,  to  form  a  context  and  foundation. 
Subsequently,  MAC  and  PHY  functions  are  dealt  with  in  detail.  Although  this 
research  covers  IEEE  802.16-2009,  in  the  interests  of  space,  an  overview  is  not 
provided,  though  relevant  differences  are  highlighted  when  discussing 
vulnerabilities. 

A.  OVERVIEW 

The  reference  model  of  the  IEEE  802.16m-2011  standard  is  shown  in 
Figure  3;  it  is  defined  in  line  with  the  open  systems  interconnection  (OSI)  model. 
The  standard’s  scope,  however,  is  limited  to  the  MAC  and  PHY  layer. 

The  MAC  layer  consists  of  three  sublayers,  the  service  specific 
convergence  sublayer  (CS),  the  MAC  common  part  sublayer  (CPS),  and  the 
security  sublayer.  The  service  specific  CS  provides  transformation  and  mapping 
of  network  layer  data  into  MAC  service  data  units  (SDU),  as  well  as  header 
suppression  functions.  Different  CSs  are  provided  for  different  network  layer 
protocols.  The  MAC  CPS  contains  the  core  functionality  of  the  standard, 
including  system  access,  bandwidth  allocation,  connection  establishment,  and 
connection  maintenance.  The  security  sublayer  performs  authentication,  secure 
key  exchange,  and  encryption  functions. 

The  interfaces  between  layers  are  defined  as  service  access  points  (SAP), 
with  data  entering  a  sublayer  referred  to  as  service  data  unit  (SDU)  and  data 
leaving  a  sublayer  defined  as  protocol  data  unit  (PDU). 
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Figure  3.  Reference  model  for  IEEE  802.16  (From  [13]  section  1.4). 
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The  contents  of  the  protocol  stack  are  illustrated  in  Figure  4. 
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Figure  4.  IEEE  802.16m  general  protocol  stack  (From  [14]). 


The  radio  resource  control  and  management  group  include  a  number  of 
functional  blocks.  The  radio  resource  management  block  adjusts  radio  network 
parameters  according  to  load  and  environment.  The  mobility  management  block 
monitors  neighboring  base  stations  (BSs)  and  makes  handover  decisions.  The 
network  entry  management  block  controls  network  entry  procedures  and 
sequences.  The  location  management  block  manages  location-based  services 
(LBS).  The  idle  mode  management  block  controls  idle  mode  operation.  The 
security  management  block  performs  key  management.  The  system 
configuration  block  manages  system  configuration  and  generates  broadcast 
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control  messages  such  as  superframe  headers.  The  multicast  and  broadcast 
service  (MBS)  block  controls  and  generates  MBS  messages.  The  service  flow 
and  connection  management  block  manages  and  allocates  station  identifiers 
(STIDs)  and  flow  identifiers  (FIDs).  The  multi-carrier  block  allows  a  single  MAC  to 
control  multiple  physical  layers. 

The  medium  access  control  (MAC)  function  group  on  the  control  plane 
consists  of  a  number  of  functional  blocks.  The  PHY  control  block  performs 
signaling  such  as  ranging,  channel  quality  measurement/  feedback  (CQI),  and 
hybrid  automatic  repeat  request  (HARQ)  ACK  or  negative  acknowledgement 
(NACK)  signaling.  The  control  signaling  block  generates  resource  allocation 
messages  such  as  advanced  medium  access  protocol  (A-MAP)  and  control 
messages.  The  sleep-mode  management  block  oversees  sleep  operations  and  is 
responsible  for  related  messages.  The  quality-of-service  block  manages  data 
rate  according  to  quality-of-service  (QoS)  inputs  from  connection  management 
block.  The  scheduling  and  resource-multiplexing  block  schedules  and 
multiplexes  data  based  on  requirements  and  subchannel  characteristics.  The 
interference  management  block  performs  inter-BS  coordination  as  well  as  intra- 
BS  measures  to  manage  interference. 

The  medium  access  control  function  group  on  the  data  plane  consists  of  a 
number  of  functional  blocks.  The  fragmentation/packing  block  fragments  and 
packs  MAC  SDU  based  on  inputs  from  scheduling  and  resource  multiplexing 
block.  The  automatic  repeat  request  (ARQ)  block  generates  sequentially 
numbered  ARQ  blocks  from  MAC  SDUs  from  the  same  flow.  The  MAC  protocol 
data  unit  formation  block  constructs  MAC  PDUs. 

The  state  diagram  of  an  IEEE  802.16m  mobile  station  is  provided  in 
Figure  5. 
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During  initialization  state,  mobile  station  without  active  connections  scans 
and  synchronizes  to  cell,  acquiring  cell  identification  and  system  configuration 
information. 

During  access  state,  mobile  station  performs  network  entry  through 
ranging  and  uplink  synchronization,  capability  negotiation,  authentication, 
authorization  and  key  exchange,  registration,  and  service  flow  establishment. 
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During  connected  state,  mobile  station  performs  uplink  and  downlink 
communications  with  the  following  sub-modes:  active  mode,  sleep  mode  and 
scanning  mode.  Active  mode  is  the  mode  where  normal  communications  occur. 
On  downlink  communications,  channel  quality  measurements  are  performed  by 
the  MS.  These  measurement  results  are  sent  to  the  BS  for  the  BS  scheduler  to 
adapt  its  uplink  and  downlink  assignments  to  channel  conditions.  Sleep  mode  is 
used  by  the  MS  to  minimize  power  drain  and  radio  resources.  Traffic  indication 
message  from  the  BS  alerts  the  sleeping  MS  that  a  message  is  incoming. 
Scanning  mode  is  used  by  the  MS  to  prepare  for  handover.  The  MS  can  be 
instructed  to  enter  this  mode,  where  the  MS  scans  for  other  BSs. 

During  idle  state,  the  MS  becomes  unregistered  and  is  only  able  to  receive 
downlink  broadcasts.  If  pre-negotiated  with  paging  available,  the  MS  can  be 
paged,  causing  it  to  enter  access  state  for  network  reentry. 

B.  MEDIA  ACCESS  LAYER 

1.  Addressing 

All  mobile  terminals  are  uniquely  identified  by  a  48-bit  universal  MAC 
address.  Within  the  IEEE  802.16-2009,  all  connections  are  uniquely  identified  by 
16-bit  connection  identifiers  (CIDs).  With  the  IEEE  802.16m-201 1 ,  there  are  two 
addressing  identifiers  instead  of  the  CID  (Figure  6):  the  station  identifier  (STID), 
which  is  12-bits  long  and  used  to  identify  an  AMS;  and  the  flow  identifier  (FID), 
which  is  4-bits  long  and  used  to  address  active  service  flows  of  an  AMS. 


STID  (12  bits) 


FID  (4  bits) 


Figure  6.  Illustration  of  IEEE  802. 16m. 201 1  addressing. 

This  enables  greater  efficiency,  as  the  advanced  generic  medium  access 
header  (AGMH)  for  MAC  PDUs  need  only  contain  FIDs,  while  the  STIDs  need 
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only  be  included  within  the  assignment  advanced  medium  access  protocol  (A-A- 
MAP),  which  maps  out  radio  resources  (in  terms  of  sub-carriers  and  time)  as 
bursts  for  individual  AMS. 

2.  MAC  Headers 

The  AGMH  is  used  with  MAC  management  messages  or  with  user 
payload  (see  Figure  7).  This  header  is  significantly  smaller  than  legacy  headers 
due  to  the  removal  of  CID  (16  bits),  which  is  replaced  with  FID  (four  bits). 
Extended  headers  can  be  added  as  required,  while  MAC  signaling  headers  do 
not  carry  user  payload  but  are  used  for  control  and  management  signaling. 
These  include  bandwidth  request,  reports,  and  feedback  functions. 
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Figure  7.  MAC  headers  and  extended  headers  (From  [14]). 
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3.  Mobility  Management  and  Handover 

Handover  can  be  AMS  initiated  or  ABS  initiated.  A  series  of  MAC 
management  messages  are  sent  over  the  air,  as  well  as  the  backhaul  (between 
serving  base  station  and  target  base  station).  In  both  cases,  the  serving  base 
station  (S-BS)  sends  a  HO-REQ  message  to  the  target  base  station  (T-BS), 
which  replies  with  a  HO-RSP  to  the  S-BS.  If  handover  can  proceed,  S-BS  issues 
an  AAI-HO-CMD  message  to  the  AMS.  The  AMS  then  replies  with  an  AAI-HO- 
IND  message  before  commencing  a  network  reentry  procedure  with  T-BS.  Upon 
completion,  T-BS  sends  HO-COMPLT  to  S-BS.  This  process  is  illustrated  in 
Figure  8. 


Figure  8.  General  handover  flow  (From  [14]). 

4.  Quality  of  Service 

A  unidirectional  flow  of  user  data  packets  is  associated  with  a  service  flow 
identifier  (SFID),  which  in  turn  has  an  associated  QoS.  The  QoS  represents  the 
tradeoff  and  prioritization  of  resources  to  ensure  a  satisfactory  level  of 
experience  by  different  applications  and  users  of  the  system.  QoS  classes  range 
from  unsolicited  grant  service  (UGS)  meant  for  providing  fixed  and  constant 
bandwidth  for  real-time  applications  (much  like  dedicated  circuits)  to  best  effort 
(BE),  which  supports  non-time-sensitive  applications.  A  summary  of  QoS  classes 
available  for  use  is  given  in  Table  1 . 
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Table  1.  QoS  classes. 


QoS  Class 

Applications 

QoS  Specifications 

UGS 

Un-Solicited  Grant  Service 

VoIP 

Maximum  sustained  rate.  Maximum  latency  tolerance.  Jitter  tolerance 

rtPS 

Real-Time  Packet  Service 

Streaming  Audio,  Video 

Minimum  Reserved  Rate,  Maximum  Sustained  Rate,  Maximum  Latency 
Tolerance,  Traffic  Priority 

ErtPS 

Extended  Real-Time  Packet 
Service 

Voice  with  Activity  Detection 
(VoIP) 

Minimum  Reserved  Rate,  Maximum  Sustained  Rate,  Maximum  Latency 
Tolerance,  Jitter  Tolerance,  Traffic  Priority 

nrtPS 

Non-Real-Time  Packet  Service 

FTP 

Minimum  Reserved  Rate,  Maximum  Sustained  Rate,  Traffic  Priority 

BE 

Best-Effort  Service 

Data  Transfer,  Web  Browsing 

Maximum  Sustained  Rate,  Traffic  Priority 

aGPS 

Adaptive  Granting  and  Polling 

Application  Agnostic 

Maximum  Sustained  Traffic  Rate,  the  Request/Transmission  Policy, 
Primary  Grant  and  Polling  Interval,  Primary  Grant  Size 

5.  MAC  Management  /  Control  Messages 

MAC  management/control  messages  form  an  important  part  of  the  many 
control  channels.  Messages  are  put  into  PDUs  and  transported  over  broadcast  or 
unicast  connections.  Hybrid  automatic  repeat  request  (HARQ)  is  used  for  MAC 
messages  sent  over  unicast  control  connections.  Some  of  these  message  types 
are  encrypted  and  protected  with  integrity  check  value  (ICV)  and  some  are 
authenticated  with  cypher-based  message  authentication  code  (CMAC),  while 
others  are  not  protected.  An  entirely  new  set  of  messages  (besides  legacy  ones 
that  are  still  supported)  is  defined  for  IEEE  802.16m-201 1 ,  which  is  prefixed  with 
“AAI.” 


6.  Connection  and  Session  Management 

In  IEEE  802.16m-201 1 ,  connections  are  identified  by  a  combination  of 
STID  (12  bits)  and  FID  (four  bits).  Management  connections  carry  MAC 
management  messages  and  are  bidirectional,  which  is  established  upon 
successful  registration  of  AMS.  Transport  connections  carry  user  data  and  are 
unidirectional. 
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Service  flows  are  created  through  the  dynamic  service 
addition/change/delete  family  of  MAC  control  messages  with  QoS  associated. 
These  service  flows  are  uniquely  mapped  to  FIDs. 

In  IEEE  802.16-2009,  a  connection  is  identified  by  a  16-bit  connection  ID 
(CID)  and  are  all  unidirectional.  The  three  types  of  management  connections  are 
basic  (for  short  and  time-sensitive  MAC  messages),  primary  (for  long  and  delay- 
tolerant  MAC  messages),  and  secondary. 

7.  Mobility  and  Power  Management 

The  vast  majority  of  WiMAX  devices  are  mobile,  and  power  conservation 
for  these  battery-operated  devices  is  important.  Two  modes  of  operation  are 
provided  to  reduce  battery  drain. 

An  AMS  in  sleep  mode  remains  in  the  connected  state  but  has  pre¬ 
negotiated  periods  of  absence.  A  series  of  alternate  listening  and  sleep  windows 
are  available,  and  these  can  be  dynamically  switched  between  sixteen  patterns 
available  (only  three  modes  are  available  with  the  legacy  system).  During  an 
AMS’s  listening  window,  the  ABS  can  transmit  traffic  indication  messages  to 
indicate  the  presence  of  traffic  due  for  the  AMS.  If  there  is  no  traffic  due,  the  AMS 
reverts  to  sleep  mode  for  the  rest  of  the  listening  window,  saving  more  power. 

An  AMS  in  Idle  state  is  only  available  periodically  for  DL  broadcast  traffic 
messaging  without  registering  at  an  ABS.  This  allows  further  reduction  in  power 
and  radio  resources.  An  idle  AMS  wakes  at  paging  intervals  and  monitors  paging 
broadcast  messages  sent  by  the  ABS.  An  AMS  can  terminate  the  idle  state  and 
transit  into  the  access  state  to  perform  network-reentry  procedures  with  ABS. 

8.  Scheduling  Services 

The  scheduler  takes  into  consideration  the  bandwidth  request,  QoS 
associated  with  the  service  flow,  and  channel  conditions  of  the  MSs  to  allocate 
radio  resources  (in  terms  of  subcarriers  and  time  within  each  OFDMA  frame),  to 
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decide  the  modulation  and  coding  scheme  (MCS),  and  to  determine  the  MIMO 
parameters  used  for  individual  service  flows. 


9.  Bandwidth  Request  and  Allocation 


Transmission  bandwidth  is  centrally  controlled  by  the  ABS,  and  the  AMS 
needs  to  signal  the  ABS  to  request  bandwidth  to  adjust  to  traffic  conditions.  It  has 
several  means  to  do  this  [15]  (Section  16.2.11.1).  Firstly,  a  contention-based 
random  access  bandwidth  request  can  be  used.  The  MS  can  do  this  by 
transmitting  a  bandwidth  request  pre-amble  sequence  and  a  quick-access 
message  (12  bits)  on  the  bandwidth  request  channel.  This  process  is  illustrated 
in  Figure  9.  Secondly,  a  standalone  bandwidth  request  header  can  be  used  by 
the  AMS  to  send  a  bandwidth  request  in  step  three  of  the  “five-step,  contention- 
based  random  access  BR”  procedure  or  as  a  response  to  the  polling  from  ABS. 


AMS  S-ABS 

BR  preamble  sequence 
(and  optional  quick  access  message)  I 


S-ABS 


© 

BR  preamble  sequence  and  quick  access  messa^ 

BR-ACK  A-MAP  IE 

Grant  for  UL  transmission 

© 

UL  scheduled  TX 

© 


© 


© 


BR  ACK  A-MAP  IE 


I  Message  part  | 
L  undecodable  j 


Grant  for  standalone  BR  header 


standalone  BR  header 


Grant  for  UL  transmission 


UL  scheduled  TX 


© 


© 


Figure  9.  Contention-based  bandwidth  request  (three  step  and  five  step) 

(From  [15]  section  16.2.11.1.1). 


Thirdly,  piggybacked  bandwidth  request  can  be  used  by  an  AMS  to 
request  bandwidth  for  the  same  or  a  different  connection  by  attaching  an 
extender  header  to  a  MAC  PDU  carrying  a  data  payload.  Fourthly,  bandwidth 
request  can  also  be  done  through  primary  fast-feedback  channel  (P-FBCH)  in 
one  of  the  two  ways.  The  first  way  involves  utilizing  the  bandwidth  request 
indication  flag  feedback.  An  AMS  can  send  a  specific  codeword  (representing  a 
BR  indication  flag)  on  the  P-FBCH  to  indicate  to  the  ABS  its  intention  to  request 

UL  allocation,  without  the  need  to  perform  a  random  access  bandwidth  request. 
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The  second  way  is  termed  the  extended  real-time  packet  service  (ErtPS)/ 
adaptive  granting  and  polling  (aGP)  service  bandwidth  request.  By  sending  a 
specific  codeword  through  P-FBCH,  the  AMS  can  inform  the  ABS  of  pending 
ertPS  data. 

10.  Automatic  Repeat  Request  (ARQ)/Hybrid  Automatic  Repeat 
Request  (HARQ) 

ARQ  and  HARQ  are  schemes  for  error  control.  An  ARQ  block  can  be 
generated  from  one  or  more  MAC  service  data  units  (SDUs)  or  MAC  SDU 
fragment(s).  ARQ  blocks  are  sequentially  numbered  and  can  vary  in  size.  ARQ 
and  HARQ  can  be  applied  on  a  flow  at  the  same  time.  Should  the  HARQ  checks 
fail,  the  HARQ  entity  can  inform  the  ARQ  entity  to  trigger  retransmission  and  re¬ 
segmentation  of  ARQ  blocks.  For  the  downlink,  IEEE  802.16m  uses  adaptive 
synchronous  HARQ,  where  resource  allocation  and  transmission  format  for 
retransmission  may  vary  from  that  of  the  original  transmission,  and  control 
signals  are  needed  to  indicate  changes.  For  uplink,  a  non-adaptive  synchronous 
HARQ  scheme  is  used,  meaning  that  the  parameters  and  resource  allocation  for 
the  retransmission  are  known  in  advance.  An  illustration  of  HARQ  operation  in 
TDD  mode  for  DL  and  UL  [14]  is  provided  in  Figure  10. 
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Figure  10.  Example  of  TDD  DL  and  UL  HARQ  timings  (From  [14])  (continued  on 

next  page) 
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HARQ  for  UL  Transmission 


7-th  frame 


0 

1 

2 

Subframe  mde 

3  4 

A 

ssignme 

it 

(;+l)-th  frame 


DL 


UL 


Subframe  index 

3  4 


(As 

HAF 

signmen 
!Q  Feedt 

+) 

ack 

Ul  data  bu  st 


U  data  bu  st 


Figure  10  (continuted  from  previous  page). 


11.  Security  Sublayer 

The  diagram  in  Figure  11  provides  an  overview  of  IEEE  802.16m  security 
architecture.  Entities  can  be  grouped  into  two  categories:  security  management 
or  encryption  and  integrity.  The  latter  consists  of  a  user  data  encryption  and 
authentication  entity  and  a  management  message  authentication/confidentiality 
entity,  as  well  as  an  authentication  entity  for  standalone  signaling  headers. 

The  advanced  encryption  standard  (AES)  counter  mode  with  cipher  block 
chaining  message  authentication  code  (CCM),  often  referred  to  as  AES-CCM,  is 
a  symmetrical  block  cipher  supported  by  IEEE  802.16m,  providing  authentication 
and  privacy.  The  encryption  and  integrity  entities  rely  on  AES-CCM  to  provide 
confidentiality  and  integrity  functions  under  the  control  of  the  security 
management  entities. 

Security  management  entities  consist  of  overall  security  management  and 
control  entity,  authentication  and  security  association  (SA)  control  entity,  privacy 
key  management  (PKM3)  entity,  extensible  authentication  protocol  (EAP)  entity, 
and  location  privacy  entity. 

The  overall  security  management  and  control  entity  manages  and 
coordinates  the  operation  of  the  other  security  entities.  The  authentication  and 
SA  control  entity  manages  the  formation  of  security  associations.  The  SA 
contains  information  related  to  a  connection,  such  as  the  level  of  security  applied 
or  UL  and  DL  traffic  encryption  keys  (if  applicable).  Some  of  these  are  dependent 
on  the  outcome  of  capability  negotiation,  where  ABS  and  AMS  agree  on  the  level 
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of  security  to  adopt.  The  PKM3  entity  is  responsible  for  performing  mutual  and 
unilateral  authentication  and  establishes  confidentiality  between  the  ABS  and 
AMS  through  a  series  of  steps  and  algorithms  that  ensure  secure  key  exchange 
through  an  unsecure  connection.  The  EAP  encapsulation/de-encapsulation  entity 
is  responsible  for  exchanging  EAP  messages  as  part  of  PKM3  to  perform 
authentication  and  authorization  functions. 

The  last  entity  is  the  location  privacy  entity.  IEEE  802.16-2009  does  not 
provide  means  of  concealing  the  identity  of  AMS.  A  real  MAC  address  is  used 
during  initial  ranging  and  registration  during  network  entry,  and  the  connection 
IDs  (CIDs)  issued  in  plain  can  be  used  to  identify  and  track  an  MS  throughout  the 
whole  session.  IEEE  802.16m  provides  the  means  to  use  a  pseudo  identity 
during  network  entry,  and  the  station  ID  (STID)  used  to  address  AMSs  is  issued 
under  protection  of  encryption. 
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Figure  11.  Functional  blocks  within  802.16m  security  architecture  (From  [14]). 


C.  PHYSICAL  LAYER 

1.  Orthogonal  Frequency-Division  Multiple  Access 

Orthogonal  frequency-division  multiplexing  (OFDM)  is  a  form  of  multi¬ 
carrier  modulation  technique  that  distributes  data  across  multiple  carriers.  These 
carriers’  frequencies  are  selected  such  that  adjacent  subcarriers  are  separated 
by  the  subcarrier  symbol  rate,  therefore,  maintaining  spectral  orthogonality.  This 

essentially  enables  high  data  throughput  while  limiting  the  effects  of  inter-symbol- 
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interference  (ISI)  and  multipath  distortion,  since  OFDM  symbol  duration  is  made 
much  longer  than  is  the  case  without  multiple  carriers.  In  addition,  a  cyclically 
extended  guard  interval,  where  each  OFDM  symbol  is  prefixed  with  a  periodic 
extension  of  the  signal  itself,  can  be  added,  called  a  cyclic  prefix  (CP).  Thus, 
when  this  guard  interval  is  longer  than  multipath  delay,  the  ISI  can  be  effectively 
eliminated  [14].  To  support  multiple  users,  the  whole  OFDM  channel  can  be  time- 
multiplexed  among  different  users.  This  process  is  illustrated  in  Figure  12. 


One  Useful  OFDM  Symbol 

■«< .  Frequency  Domain  . . Time  Domain 


Figure  12.  OFDM  generation  and  cyclic  prefix  (From  [14]). 

Orthogonal  frequency-division  multiple  access  (OFDMA)  takes  the  time 
multiplexed  OFDM  concept  one  step  further  by  simultaneously  multiplexing 
across  the  frequency  domain  (see  Figure  13).  This  is  done  by  allowing  the 
assignment  of  subcarriers  to  different  users  over  time.  Hence,  radio  resources 
can  be  divided  in  a  granular  manner  into  resource  blocks  and  assigned  to  users 
dynamically,  on  the  fly,  by  a  scheduler.  The  scheduler  can  take  channel 
conditions  and  the  QoS  of  the  service  flow  into  consideration  and,  among  other 
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factors,  optimize  every  frame  in  a  manner  that  is  responsive  to  demand.  OFDMA 
is  available  for  use  in  IEEE  802.16  for  both  UL  and  DL. 


Time  Time 

Figure  13.  Conceptual  comparison  between  OFDM  and  OFDMA  (From  [16]). 

2.  Frame  Structure 

The  IEEE  802.16m  frame  is  illustrated  in  Figure  14.  A  super  frame 
consists  of  four  frames  lasting  5  ms  each.  Within  each  frame  are  subframes  with 
transmit/receive  switching  intervals  included.  Each  subframe  consists  of  a 
number  of  OFDM  symbols  with  CP  before  each  symbol.  How  the  system 
parameters  can  change  with  different  data  bandwidths  selected  is  shown  in 
Table  2. 
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Figure  14.  Frame  structure  illustration  for  TDD  and  CP=1/8  (From  [15]  section 

16.3.3.2.2). 


Table  2.  Frame  timings  with  different  bandwidths  and  CP  (From  [15]). 


Nominal  channel  bandwidth  (MHz) 

5 

7 

8.75 

10 

20 

Sampling  factor 

28/25 

8/7 

8/7 

28/25 

28/25 

Samplinq  frequency  (MHz) 

5.6 

8 

10 

11.2 

22.4 

FFT  size 

512 

1024 

1024 

1024 

2048 

Sub-carrier  spacing  (kHz) 

10.94 

7.81 

9.76 

1094 

10.94 

Useful  symbol  time  Tu  (ps) 

91.429 

128 

102.4 

91.429 

91.429 

CP 

Tg=1/8TU 

Symbol  time  Ts  (ps) 

102.857 

144 

115.2 

102.857 

102  857 

FDD 

Number  of  OFDM  symbols  per  5ms  frame 

48 

34 

43 

48 

48 

Idle  time  (ps) 

62.857 

104 

46.40 

62.857 

62.857 

TDD 

Number  of  OFDM  symbols  per  5ms  frame 

47 

33 

42 

47 

47 

TTG  +  RTG  (ps) 

165.714 

248 

161.6 

165.714 

165.714 

II 

o 

S'0 

Symbol  time  Ts  (ps) 

97.143 

136 

108.8 

97.143 

97.143 

FDD 

Number  of  OFDM  symbols  per  5ms  frame 

51 

36 

45 

51 

51 

Idle  time  (ps) 

45.71 

104 

104 

45.71 

45.71 

TDD 

Number  of  OFDM  symbols  per  5ms  frame 

50 

35 

44 

50 

50 

TTG  +  RTG  (ps) 

142.853 

240 

212.8 

142.853 

142  853 

CP 

Tg=1/4  Tu 

Symbol  Time  T8  (ps) 

114.286 

160 

128 

114.286 

114.286 

FDD 

Number  of  OFDM  symbols  per  5ms  frame 

43 

31 

39 

43 

43 

Idle  time  (ps) 

85.694 

40 

8 

85.694 

85.694 

TDD 

Number  of  OFDM  symbols  per  5ms  frame 

42 

30 

37 

42 

42 

TTG  +  RTG  (ps) 

199.98 

200 

264 

199.98 

199  98 
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3. 


Subchannelization 


Available  physical  OFDM  subcarriers  and  OFDM  symbols  are  grouped 
into  physical  resource  units  (PRUs),  and  these  are  remapped  into  two  types  of 
logical  entities:  contiguous  resource  units  (CRUs)  and  distributed  resource  units 
(DRUs).  Partitioning  frequencies  in  this  manner  facilitates  fractional  frequency 
reuse  (FFR).  CRUs  are  optimized  for  frequency  scheduling  gain,  while  DRUs  are 
good  for  frequency  diversity  gain  [14].  The  mapping  process  is  illustrated  in 
Figure  15,  which  shows  how  PRUs  are  grouped  into  CRUs  and  DRUs  and 
mapped  into  Logical  Resource  Units  (LRUs). 
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Figure  15.  Physical  to  logical  mapping  process  (From  [14]). 


4.  Channel  Coding  and  Modulation 

The  role  of  channel  coding  is  to  introduce  redundancy  into  the  data 
transmitted  to  enable  correction  of  bit  errors  at  the  receiver  end  without  further 
intervention  from  the  transmitter.  The  net  effect  is  to  decrease  the  error  rate, 
reduce  transmission  power,  and  increase  transmission  distance  [14].  For  data 
channels,  IEEE  802.16m  uses  convolutional  turbo  code  (CTC)  with  a  minimum 
code  rate  of  1/3.  The  coding  and  modulation  process  for  traffic  channels  is 
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summarized  in  Figure  16.  For  control  channels,  a  tail-biting  convolutional  code 
(TBCC)  with  minimum  rate  of  %  is  used  for  control  channels.  This  form  of  coding 
is  slower  but  more  reliable.  For  HARQ  feedback  channels,  HARQ  incremental 
redundancy  coding  is  used,  while  different  versions  of  constellation 
rearrangement  (CoRe)  are  used  for  16QAM  and  64QAM  data. 


Figure  16.  Coding  and  modulation  process  (From  [17]). 


Note  that  all  data  is  randomized  or  scrambled  as  part  of  the  coding  and 
modulation  process  using  a  pseudo-random  binary  sequence  (PRBS)  generated 
by  the  circuit  shown  in  Figure  17.  This  operation  is  performed  on  all  data  except 
the  frame  control  header  (FCH)  and  preambles,  and  the  generator  is  reinitialized 
with  a  fixed  sequence  [LSB]  011011100010101  [MSB]  for  every  forward 
error  correction  (FEC)  block.  Since  the  sequence  is  known  and  fixed,  the 
scrambled  data  transmitted  over  the  air  can  be  decoded  into  plain  data,  and  plain 
data  can  be  encoded  into  scrambled  data  for  transmission.  For  the  purpose  of 
this  thesis,  underlying  plain  data  scrambled  with  this  process  is  regarded  as 
available,  and  scrambled  data  can  be  generated  from  any  plain  data  desired. 


LSB  MSB 


Figure  1 7.  PRBS  generator  (From  [1 5]  section  16.3.10.1 .3). 
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5.  Synchronization  Channel 

The  first  step  in  network  entry  involves  discovery,  which  is  followed  by 
timing  and  frequency  acquisition,  DL  synchronization,  and  base-station 
identification.  The  primary  advanced  preamble  (PA-Preamble)  and  secondary 
advanced  preamble  (SA-Preamble)  within  IEEE  802.16m  provides  a  two-stage 
process  to  accomplish  these.  The  PA-Preamble  is  located  at  the  first  OFDMA 
symbol  within  the  second  frame  of  the  superframe.  This  narrowband 
synchronization  signal  is  used  for  initial  acquisition,  synchronization,  and 
broadcast  of  system  information  including  the  system  bandwidth.  The  SA- 
Preamble  is  located  at  the  first  OFDMA  symbol  within  the  first  and  third  frames  of 
a  superframe.  This  wideband  preamble  is  responsible  for  fine  synchronization 
and  cell/sector  identification  (Cell  ID). 

The  location  of  the  advanced  preambles  is  illustrated  in  Figure  18. 


Superframe  Header 
PA-Preamble 


|  SA-Preamble 


Figure  18.  Location  of  preambles  (From  [11]). 
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6.  Superframe  Headers  (Part  of  Broadcast  Channel) 

After  achieving  synchronization  and  obtaining  key  system  parameters 
from  the  advanced  preambles,  the  superframe  header  contains  the  next  batch  of 
information  essential  for  network  entry,  reentry,  and  communication 
maintenance.  The  superframe  header  is  located  in  the  first  subframe  of  every 
superframe,  occupying  the  second  to  the  sixth  OFDMA  symbol  of  the  subframe. 
The  location  of  the  SFH  is  illustrated  in  Figure  19.  The  primary  superframe 
header  (P-SFH)  occupies  the  first  few  data  logical-resource  units  (DLRU)  within 
the  SFH,  and  it  is  transmitted  with  fixed  MCS:  quadrature  phase-shift  keying 
(QPSK)  with  TBCC  coding  at  1/24  effective  code  rate.  The  secondary 
superframe  header  (S-SFH)  occupies  DLRUs  after  P-SFH,  and  it  can  be  divided 
into  three  subtypes:  sub-packet  1  with  network  reentry  information,  sub-packet  2 
with  initial  entry  information,  and  sub-packet  3  with  remaining  system  information. 
Transmission  of  S-SFH1,  S-SFH2,  and  S-SFH3  are  interspersed  over  several 
superframes;  an  example  of  this  configuration  is  illustrated  in  Figure  20. 

Physical  processing  of  SFH  is  illustrated  in  Figure  21 . 
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Figure  19.  Positioning  of  superframe  header  within  superframe  (From  [1 5]). 
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◄  ► 
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Figure  20.  Illustration  of  secondary  superframe  header  position  across 

superframes  (From  [15]). 
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Figure  21 .  Processing  for  superframe  headers  (From  [15]  section  16.3.5.3.1 .1 ). 


7.  Downlink  Control  Channels 

There  are  two  forms  of  downlink  control:  MAC  control/management 
messages  as  discussed  in  earlier  sections  and  medium  access  protocol  (MAP). 
Within  legacy  frames,  MAPs  were  broadcast  messages  that  were  time-division 
multiplexed  with  data  and  jointly  encoded  for  use  by  all  MSs.  Their  main  purpose 
is  to  inform  all  users  on  radio  resource  allocation  for  the  entire  frame.  Although 
the  legacy  MAPs  are  scrambled,  the  algorithm  and  its  start  states  are  known, 
and,  for  the  purpose  of  this  thesis,  available  to  an  attacker.  Hence,  the  commonly 
decodable  DL  and  UL  MAPs  enable  all  MSs  to  know  exactly  which  subcarriers 
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and  OFDMA  symbols  they  are  assigned  for  uplink  and  downlink.  An  illustration  of 
legacy  MAPs  within  context  of  a  frame  is  provided  in  Figure  22. 
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Figure  22.  Structure  of  legacy  MAPs  (After  [14]). 


Within  IEEE  802.16m,  key  changes  include  the  fact  that  it  is  now 
frequency  multiplexed  rather  than  time  multiplexed  and  that  control  data  for 
AMSs  use  different  MCS  to  suit  channel  conditions  experienced  by  individual 
AMSs.  The  overheads  located  within  the  A-MAP,  in  the  context  of  the  IEEE 
802.16m  frame,  is  illustrated  in  Figure  23. 
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Figure  23.  Structure  of  IEEE  802.16m  overhead  channels  (From  [14]). 


The  internal  structure  of  DL  A-MAP  is  illustrated  in  Figure  24.  There  are 
four  different  types  of  DL  A-MAP:  non-user-specific  A-MAP,  assignment  A-MAP, 
HARQ  feedback  A-MAP,  and  power  control  A-MAP.  The  non-user-specific  A- 
MAP  contains  common  information  for  all  AMSs,  including  parameters  required 
to  decode  other  control  channels.  The  assignment  A-MAP  contains  information 
on  radio-resource  assignment  for  broadcast,  multicast  and  unicast 
communications  for  each  individual  AMS.  Broadcast  A-MAP  information 
elements  (lEs)  are  located  at  the  beginning  of  either  assignment  A-MAP  group  1 
or  2  within  the  subframe.  The  HARQ  feedback  A-MAP  contains  feedback 
information  for  the  hybrid  automatic  repeat  request  (HARQ).  The  power  control 
A-MAP  contains  transmission  power  adjust  values  for  each  individual  AMS, 
enabling  ABS  to  quickly  adjust  AMS  transmission  power,  albeit  over  a  small 
range. 
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Figure  24.  Structure  of  A-MAP  region  for  IEEE  802.16m-2011  (From  [14]). 


The  different  channel  coding  processes  for  different  A-MAPs  [18]  are 
depicted  in  Figure  25.  Scrambling  is  performed  for  assignment  A-MAPs 
(resource  mapping)  and  HARQ  data.  Assignment  A-MAPs  information  is  first 
scrambled  by  a  pseudo-random  binary  sequence  (PRBS)  generated  by  the 
circuit  shown  in  Figure  26.  If  the  assignment  A-MAP  is  for  unicast  traffic,  the 
random  MAPMask-seed  value  is  used  to  initialize  the  PRBS  generator,  and  a 
CRC  mask  formed  with  the  STID  of  the  AMS  is  used  to  mask  the  A-MAP  data 
([15]  section  16.3.5.3.2.4).  The  MAPmask  seed  and  STID  are  transferred  by  the 
ABS  to  AMS  in  an  encrypted  manner  after  AMS  registration  during  network  entry. 
If  the  assignment  A-MAP  is  for  broadcast  traffic,  both  the  initialization  vector  and 
CRC  mask  are  fixed  values  instead  of  random.  The  above  is  summarized  in 
Table  3.  The  net  outcome  is  that  the  attacker  needs  to  overcome  the  obstacles 
put  in  place  by  the  MAPMask  seed  as  well  as  the  STID  in  order  to  eavesdrop,  or 
even  target  unicast  traffic  bursts,  in  IEEE  802.16m-201 1 .  On  the  other  hand, 
broadcast  traffic  in  IEEE  802.16m-2011  remains  as  vulnerable  as  in  legacy 
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systems.  It  is  also  interesting  to  note  that  the  HARQ  feedback  A-MAP  is  also 
scrambled,  but  only  using  STID,  before  coding  and  modulation. 
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Figure  25.  Physical  layer  procedures  for  A-MAPs  in  IEEE  802.16m-201 1  (From 

[18]). 
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Figure  26.  PRBS  generator  for  scrambling  assignment  A-MAP  in  IEEE 
802.16m-201 1  (From  [15]  section  16.3.10.1.3). 
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Table  3.  Initialization  vector  and  CRC  masks  for  assignment  A-MAP  scrambling  in 

IEEE  802. 16m-2011. 


Unicast 

Broadcast 

Initial  Vector  for  PRBS 
Generator  (15  bits) 

"MAPMaskSeed" 
Parameter  Securely 
Passed  to  AMS 
during  Network 
Entry 

ObOOOlOOOOOOOOOOO 

CRC  Mask  (16  bits) 

ObOOOO  +  12  bit  STID 

ObOOOlOOOOOOOOOOOO 

8.  Uplink  Control  Channels 

As  previously  seen  in  Figure  23,  UL  control  channels  are  also  frequency 
multiplexed.  These  UL  control  channels  include  the  primary  and  secondary  fast- 
feedback,  HARQ  feedback,  sounding,  ranging,  and  bandwidth  request  channels. 

The  primary  and  secondary  fast-feedback  channels  carry  different  sets  of 
channel  quality  as  well  as  MIMO  feedback.  The  primary  fast-feedback  channel 
carries  wideband  and  narrowband  channel  quality  indicators,  while  the  secondary 
fast-feedback  channel  carries  narrowband  channel  quality  indicators.  The 
structure  and  physical  processing  of  these  channels  are  illustrated  in  Figure  27. 
These  feedback  channels  are  frequency  and  time-division  multiplexed  in  groups 
of  feedback  mini-tiles,  and  the  secondary  fast-feedback  channels  include  pilots 
interspersed  within  them. 

For  the  HARQ  feedback  channel,  the  ACK  and  NACK  for  DL 
transmissions  occurring  at  predetermined  intervals  are  transmitted  on  this 
channel  using  a  combined  TDM/FDM  and  TDM/CDM  scheme.  The  structure  of 
the  HARQ  feedback  channel  is  illustrated  in  Figure  28.  The  channels  are  divided 
into  HARQ  mini-tiles  (constructed  by  two  subcarriers  over  two  OFDM  symbols), 
with  each  HARQ  mini-tile  identified  by  two  indices,  m  and  k.  The  m  index  is  the 
HARQ  mini-tile  index  within  a  HARQ  feedback  channel,  and  the  k  index  is  the 
HARQ  feedback  channel  index. 
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Figure  27.  Physical  processing  and  structure  of  primary  and  secondary 

feedback  channels  (From  [18]). 
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The  sounding  channel  is  used  by  the  AMS  to  transmit  sounding  signals 
when  instructed  by  the  ABS,  enabling  measurements  of  the  UL  channel  for 
MIMO  and  channel  quality  feedbacks  at  the  ABS.  The  structure  of  the  sounding 
channel  is  illustrated  in  Figure  29.  The  sounding  channel  is  located  in  the  second 
UL  sub-frame  and,  depending  on  whether  narrow-band  or  wideband  channel  is 
configured,  the  number  of  subcarriers  used  varies. 


◄ - TDD  Radio  Frame  =  5  ms - ► 


Narrowband  Sub-band  based  Sounding 


Figure  29.  Structure  of  sounding  channel  in  TDD  mode  (From  [14]). 


The  ranging  channel  is  used  by  the  AMS  to  transmit  ranging  signals  to 
initiate  uplink  synchronization.  Upon  receiving  the  incident  signal,  the  ABS 
processes  and  computes  important  parameters  such  as  power  and  frequency 
adjustments  that  will  be  feedback  to  the  AMS.  This  allows  the  AMS  to  make 
adjustments,  thereby  attaining  uplink  synchronization  and  completing  the  initial 
ranging  process.  This  initial  ranging  is  contention  based.  Afterwards,  the  AMS 
can  then  proceed  with  network  entry.  For  an  AMS  that  has  attained  uplink 
synchronization,  periodic  (or  synchronized)  ranging  needs  to  be  performed 
continuously  to  maintain  synchronization  and  is  performed  in  a  non-contention 
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manner.  Ranging  signals  typically  consist  of  ranging  preambles  (RP)  as  well  as 
cyclic  prefixes  (CP)  appended  before  the  RPs.  Examples  of  ranging  signals 
under  different  circumstances  are  shown  in  Figure  30. 
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Figure  30.  Examples  of  ranging  signals  (From  [18]). 


As  for  bandwidth  request  channel,  since  all  radio  resources  are  managed 
centrally  by  the  base  station,  any  desired  change  in  uplink  parameters  needs  to 
be  requested  through  the  ABS.  A  contention  based  random  access  scheme  is 
used  by  AMSs  to  request  bandwidth.  It  involves  a  five-step  or  three-step  quick- 
access  procedure,  illustrated  in  Figure  31.  The  physical  channel  structure  for  a 
bandwidth  request  channel  is  illustrated  in  Figure  32,  subdivided  into  three  UL 
tiles,  where  Pr  denotes  a  preamble  sequence.  The  quick-access  message 
containing  request  information  is  QPSK  modulated  into  36  data  symbols  before 
being  inserted  into  locations  denoted  by  M  within  the  three  UL  tiles  (each 
containing  12  symbols)  for  transmission. 
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Figure  31.  Bandwidth  request  procedures  (From  [14]). 


Pro 

Pr4 

Pro 

Pr,2 

Pr,e 

Pr20 

Pr, 

PrS 

Pro 

Pr,3 

Pr,7 

Pr2i 

M0 

Me 

M,2 

M,o 

m24 

M30 

M, 

m7 

M,3 

M,o 

M25 

M31 

Pr2 

Pr9 

Pr,o 

Pr,4 

Prie 

Pf22 

Pr3 

Pr7 

Pr„ 

Pr,5 

Pr,8 

Pr23 

■ 

■ 

■ 

▼ 

Pro 

Pr4 

Pro 

Pr,2 

Pr,e 

Pr20 

Pr, 

Pr5 

Pro 

Pris 

Pr,7 

Pr2, 

m2 

m8 

m,4 

M2o 

M20 

M32 

m3 

m6 

M,5 

M2| 

M^ 

M33 

Pr2 

Pr6 

Pr,o 

Pr,4 

Prie 

Pf22 

Pr3 

Pr7 

Pr„ 

Pr15 

Pr,o 

Pr23 

Pro 

Pr4 

00 

cl 

CN 

L_ 

Q_ 

Pr,e 

Pr20 

a! 

Pr5 

Pro 

Pr,3 

Pr,7 

Pr2, 

m4 

M,o 

M,e 

M22 

m28 

M34 

m5 

M„ 

m,7 

M23 

M29 

Mj5 

Pr2 

Pr8 

Prio 

Pr,4 

Pr,o 

Pf22 

CO 

Pr7 

Pr„ 

Pr,5 

Pr,e 

Pr23 

Figure  32.  Bandwidth  request  channel  physical  structure  (From  [15]). 
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9.  Multiple  Antenna  Transmission  Schemes 

MIMO  techniques  are  employed  in  IEEE  802.16m-2011  to  achieve  array 
gain,  diversity  gain,  and  spatial  multiplexing  gain  to  combat  effects  of  multipath 
and  channel  spread. 


a.  DL  MIMO 

The  wide  range  of  MIMO  modes  available  for  downlink  use  can  be 
broadly  classified  into  single  and  multiple  base-station  modes. 

A  multi-base-station  MIMO  is  an  extension  which  entails  AMSs 
being  served  by  multiple  ABSs  through  inter-BS  coordination  or  even  multi-BS 
transmission.  For  collaborative  MIMO,  several  MSs  are  jointly  served  by  multiple 
coordinated  BSs,  whereas  in  closed-loop  macro  diversity,  every  MS  is  served 
jointly  by  multiple  coordinated  BSs. 

Single-user  MIMO  (SU-MIMO)  techniques  are  point-to-point 
schemes  that  improve  capacity  and/or  reliability  through  space-time/space- 
frequency  codes  together  with  spatial  diversity  multiplexing  transmission.  In 
single  user  (SU)  schemes,  one  MS  is  addressed  in  one  resource  unit,  while  for 
multi-user  (MU)  schemes,  multiple  users  can  be  scheduled  in  one  resource  unit. 

Open-loop  techniques  are  less  reliant  on  channel  information, 
including  spatial  multiplexing  and  space-time  codes.  These  tend  to  result  in  a 
higher  complexity  burden  at  the  receiver  as  well  as  less  than  optimal  utilization  of 
channel  diversity  or  capacity.  Closed-loop  techniques  make  use  of  a  feedback 
channel  to  relay  channel  information  to  the  BS,  enabling  simpler  techniques  and 
better  channel  utilization  [19]. 

A  summary  of  how  the  preceding  factors  translate  into  actual  MIMO 
modes  is  illustrated  in  Figure  33. 
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Figure  33.  Summary  of  MIMO  modes  for  DL  (From  [14]). 


b.  UL  MIMO 

MSs  are  constrained  in  terms  of  physical  size  and  number  of 
antennas.  Hence,  there  are  fewer  options  available  for  uplink  MIMO.  These 
MIMO  modes  include  the  open-  and  closed-loop  versions  of  SU-MIMO  and 
collaborative  spatial  multiplexing. 

D.  NETWORK  ENTRY  PROCESS 

An  AMS  attempting  network  entry  first  commences  downlink 
synchronization  by  means  of  the  preambles  and  superframe  headers  before 
performing  uplink  synchronization  through  initial  ranging.  After  ranging  is 
complete,  the  ABS  responds  with  an  AAI-RNG-ACK  message  that  contains 
power  and  timing  adjust  parameters  to  ensure  uplink  synchronization.  It  also 
issues  a  temporary  station  identifier  (TSTID)  along  with  a  MAP  mask  seed  and 
places  them  in  the  AAI-RNG-RSP  message. 

Capability  negotiation  messages  are  then  exchanged  before 
authentication,  which  involves  the  secure  exchange  of  several  sets  of  keys.  Once 
this  is  done,  selected  MAC  control  messages  and  data  messages  being 
exchanged  are  encrypted  and  authenticated. 


41 


The  AMS  then  requests  registration  through  the  AAI-REG-REQ  message. 
Upon  successful  registration  at  the  ABS,  a  response  message,  AAI-REG-RSP,  is 
transmitted  to  the  AM;  the  AAI-REG-RSP  message  conveys  the  real  STID  as 
well  as  the  MAP  mask  seed.  These  two  parameters,  which  are  hidden  from  the 
casual  observer,  are  instrumental  in  protecting  the  privacy  of  an  AMS.  They  are 
used  to  scramble  resource  allocation  mapping  within  assignment  A-MAP  control 
channels.  The  WiMAX  network  entry  procedures  are  summarized  in  Figure  34. 


AAIREGREQ  (AMSID) 


-AAI_REG-RSP  (STID) 


further  message  /data  transactions 


Figure  34.  Network  entry  process  (from  [15]  section  16.2.5.3.2) 
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III.  SURVEY  OF  MAC  CONTROL  MESSAGES  FOR 
VULNERABILITIES 


A.  BACKGROUND 

MAC  management  messages  are  a  key  part  of  WiMAX  control  channels, 
and  measures  to  protect  these  messages  are  examined  in  this  chapter.  An  initial 
assessment  is  then  performed  to  examine  unprotected  messages  for 
weaknesses  and  to  categorize  them  before  examining  selected  examples  in 
greater  detail.  This  was  performed  for  both  legacy  standards  and  IEEE  802.16m- 
2011. 

B.  PROTECTION  MECHANISMS  FOR  MAC  CONTROL  MESSAGES 

1 .  Integrity  Check  Value  (ICV) 

The  ICV  affords  complete  protection,  including  confidentiality,  integrity  and 
authenticity.  This  form  of  protection  was  first  introduced  with  IEEE  802.16m- 
2011,  and  a  majority  of  messages  in  that  standard  are  protected  in  this  manner 
compared  with  CMAC/HMAC,  discussed  below.  In  order  for  ICV  to  be  used, 
security  association  needs  to  be  established,  which  involves  authentication  as 
well  as  key  exchange.  This  means  that  messages  that  normally  receive 
protection  do  not  during  network  entry  prior  to  PKM  negotiation.  ICV  protection  is 
based  upon  the  AES  encryption  scheme,  which  is  currently  regarded  as  secure 
and  effective. 

2.  CMAC  and  HMAC 

CMAC  and  HMAC  provide  protection  for  integrity  and  authenticity  only. 
Although  messages  protected  are  still  in  plain,  a  hash  generated  from  the 
encryption  key  is  sent  with  the  message  and  any  attempt  to  alter  contents  results 
in  the  message  failing  authentication  at  the  receiver.  Even  if  the  attacker 
attempts  to  replace  the  entire  message,  he  would  face  the  problem  of  generating 
a  hash  that  can  pass  authentication  procedures  at  the  receiver,  as  he  does  not 
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have  the  encryption  key.  Similar  to  ICV,  protection  requires  security  association 
to  be  completed.  This  means  that  messages  that  normally  receive  protection  do 
not,  prior  to  PKM  negotiation. 

C.  CLASSIFICATION  OF  MAC  MESSAGES  BASED  ON  PROTECTION 
AND  VULNERABILITIES 

Based  on  the  above  criteria,  the  full  list  of  MAC  control  messages  for  both 
IEEE  802.16m-201 1  and  IEEE  802.16-2009  were  evaluated. 

1.  IEEE  802.16m-2011  MAC  Management  Messages 

Out  of  70  messages  in  total,  37  were  fully  protected  by  ICV.  Nine  were 
partially  protected.  Partial  protection  means  that  there  are  scenarios  under  which 
security  association  was  not  complete  and  MAC  messages  were  not  protected. 
The  remaining  24  MAC  messages  were  not  protected.  As  the  ICV  protection  is 
deemed  effective,  we  regard  messages  under  full  ICV  protection  to  be  free  from 
exploitation.  A  breakdown  of  the  protection  level  for  MAC  management 
messages  is  provided  in  Table  4. 

Table  4.  Protection  summary  for  IEEE  802.16m  MAC  control  messages. 


Total  Number  of  Messages 

70 

Fully  protected  by  ICV 

37 

Partial  Protection 

9 

No  Protection 

24 

For  the  MAC  management  messages  that  are  not  fully  protected,  the 
characteristics  and  workings  of  each  message  are  examined  in  detail  to  ascertain 
possible  exploitations.  A  summary  of  this  assessment  is  provided  in  Table  5. 
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Table  5.  Exploitation  summary  of  IEEE  802.16m  MAC  control  messages. 


Total  Messages  Not  Fully  Protected 

33 

Limited  Exploitation  Scope 

10 

Messages  With  Possible  Exploitation 

23 

As  discussed  earlier,  due  to  the  scrambling  of  assignment  A-MAP  by  IEEE 
802.16m,  unicast  messages  cannot  be  exploited.  Hence,  remaining  messages 
are  further  categorized  according  to  attack  nature  and  functional  groups  (see 
Table  6). 

Table  6.  Exploitation  summary  of  IEEE  802.16m  MAC  control  messages 

according  to  type  and  functional  group. 


General  Message  Modification  Attacks 

6 

Power  Related  Message  Modification  Attacks 

2 

MIMO  Related  Message  Modification  Attacks 

3 

Flooding  Attacks 

2 

Water  Torture  Attacks 

2 

Total  Possible  Exploitations 

15 

The  details  of  the  above  exploits  are  discussed  in  the  following 
subsections,  with  emphasis  on  selected  categories  of  attacks.  Most  of  the 
vulnerabilities  identified  involve  injecting  spoofed  MAC  control  messages  to  the 
ABS  or  the  AMS. 

2.  IEEE  802.16-2009  MAC  Management  Messages 

A  similar  process  is  carried  out  for  IEEE  802.16-2009.  Out  of  71 
messages  in  total,  nine  are  reserved,  leaving  62  possible  messages.  Out  of 
these  62,  30  are  authenticated  by  CMAC/HMAC,  leaving  32  that  are  both  in  plain 
and  unauthenticated.  A  breakdown  of  the  protection  level  for  MAC  management 
messages  is  provided  in  Table  7. 
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Table  7.  Protection  summary  for  IEEE  802.16-2009  MAC 

control  messages. 


Total  Defined  Management  Messages 

71 

Reserved  Messages 

9 

Total  Non-Reserved 

62 

Authenticated  Messages 

30 

Non-Authenticated 

32 

As  the  CMAC/HMAC  protection  is  deemed  effective,  we  regard  messages 
protected  as  such  to  be  free  from  exploitation  as  well  as  any  modifications.  For 
the  MAC  management  messages  that  are  not  fully  protected,  we  examined  the 
characteristics  and  workings  of  each  message  in  detail  to  ascertain  possible 
exploitations.  A  summary  of  this  assessment  is  provided  in  Table  8. 

Table  8.  Exploitation  summary  of  IEEE  802.16-2009  MAC  control  messages. 


Total  Messages  Protected 

32 

Limited  Exploitation  Scope 

14 

Messages  With  Possible  Exploitation 

18 

The  messages  in  Table  8  are  then  further  categorized  according  to  attack 
nature  as  well  as  functional  group;  they  are  listed  in  Table  9.  A  further  distinction 
is  made  between  vulnerabilities  that  have  been  previously  identified  in  literature 
and  those  that  have  not. 

The  details  of  the  preceding  exploits  are  discussed  in  the  next  chapter, 
with  emphasis  on  selected  categories  of  attack.  Most  of  the  vulnerabilities 
identified  involve  injecting  spoofed  MAC  control  messages  to  the  ABS  or  the 
AMS. 
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Table  9.  Exploitation  summary  of  IEEE  802.16-2009  MAC  control  messages 

according  to  types  and  functional  groups. 


Attack  Nature/  Functional  Group 

Discussed  in 

Literature 

Current 

Discussion 

Total 

General  Message  Modification  Attacks 

3 

5 

8 

Power  Related  Message  Modification 

Attacks 

1 

0 

1 

MIMO  Related  Message  Modification 

Attacks 

0 

1 

1 

Flooding  Attacks 

0 

2 

2 

Water  Torture  Attacks 

1 

1 

2 

ARQ 

1 

2 

3 

AAS 

0 

1 

1 

Total  Possible  Exploitations 

6 

12 

18 
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IV.  SPOOFING  AND  INJECTING  CONTROL  MESSAGES  IN  A 

TDMA  REGIME 


A.  BACKGROUND 

Most  vulnerabilities  involve  an  intruding  station  (IS)  spoofing  false  MAC 
management  messages  at  the  ABS  or  an  AMS.  In  contention  based  wireless 
standards  such  as  IEEE  802.11  (Wifi),  knowing  the  frequency  and  key 
parameters  is  sufficient  for  an  attacker  to  start  injecting  messages.  The  TDMA 
and  OFDMA  nature  of  WiMAX  means  that  in  addition  to  knowing  normal 
parameters,  transmitting  on  the  correct  subcarriers  and  correct  timing  is  also 
crucial.  Most  of  the  literature  discusses  vulnerabilities  of  MAC  management 
messages,  assuming  they  can  be  injected  successfully  without  discussing 
details.  Boom  correctly  identifies  the  single  biggest  challenge  to  mounting  attacks 
on  TDMA  systems  as  timing  [12]. 

In  this  chapter,  we  examine  in  detail  the  challenges  and  propose  solutions 
to  injecting  MAC  management  messages,  both  at  ABS  and  AMS.  This  material 
aims  to  give  us  some  assurance  that  injection  of  messages  at  the  physical  level 
is  feasible  before  MAC  level  attacks  are  discussed  in  the  next  chapter. 

B.  PREPARATION 

1.  Downlink  Synchronization 

Just  like  any  other  legitimate  AMS  joining  a  network,  our  IS  needs  to 
detect  ABS  transmission,  acquire  key  system  parameters,  and  perform  downlink 
synchronization.  This  enables  the  IS  to  properly  receive,  demodulate,  and 
interpret  data  transmitted  by  the  ABS.  For  IEEE  802.16m,  key  steps  include 
reading  key  parameters  off  the  PA-Preamble  and  SA-Preamble  and  achieving 
downlink  time  synchronization.  The  IEEE  802.16m  WiMAX  frame  is  illustrated  in 
Figure  35. 
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Figure  35.  IEEE  802.16m  frame  with  locations  of  PA-preamble  and  SA- 

preamble  (From  [14]). 


As  for  legacy  systems,  key  parameters  need  to  be  read  from  the  preamble 
and  time  must  be  synchronized.  The  legacy  WiMAX  frame  is  illustrated  in  Figure 
36. 

2.  Decode  DL-MAP  and  UP-MAP  and  Eavesdrop  on  Control 
Traffic 

In  order  to  know  where  all  bursts  are  located,  the  IS  needs  to  decode  the 
downlink  medium  access  protocol  (DL-MAP)  as  well  as  uplink  medium  access 
protocol  (UL-MAP).  For  IEEE  802.16m,  this  information  resides  within  the 
assignment  A-MAP,  as  described  in  section  II.C.7.  Only  the  MAPs  for  broadcast 
traffic  are  available  in  plain,  while  MAPs  for  unicast  traffic  have  been  scrambled 
with  a  sequence  derived  from  the  AMS’s  STID  and  the  MAPMask  seed;  both 
STID  and  the  MAPMask  seed  were  sent  to  each  AMS  through  an  encrypted 
channel  during  network  entry  (as  described  in  section  II. D).  If  an  attacker  is  able 
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to  overcome  the  scramble,  the  unicast  assignment  A-MAP  is  available. 
Otherwise,  only  broadcast  assignment  A-MAP  is  available  and  only  broadcast 
messages  can  be  monitored  and  exploited. 


OFDMA  symbol  number  t 


For  legacy  systems,  the  IS  should:  read  key  parameters  from  the  frame 
control  header  (FCH),  read  DL-MAP  to  know  timing  and  subcarriers  used  for 
bursts  destined  for  each  AMS,  and  read  UL-MAP  to  know  timing  and  subcarriers 
used  for  bursts  transmitted  by  each  AMS  due  for  the  ABS  (the  start  point  and 
area  described  in  terms  of  symbol  and  subchannels).  In  this  case,  both  unicast 
and  broadcast  MAPs  are  in  plain.  Within  the  DL-MAP  and  UL-MAP,  the  CID  is 
the  primary  index  to  indicate  ownership  of  each  information  element  within  the 
legacy  WiMAX  frame  [20],  One  such  example  is  illustrated  in  Figure  37. 

For  both  IEEE  802.16m  and  legacy  systems,  sub-channelization  effects 
(as  described  in  section  II.C.3)  also  need  to  be  taken  into  account,  mapping 
logical  resource  units  (LRUs)  into  physical  resouce  units  (PRUs). 
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Once  downlink  synchronization  and  the  decoding  of  MAPs  are  completed, 
the  IS  can  listen  and  monitor  some  or  all  unencrypted  traffic  within  the  cell  or 
sector. 
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Figure  37.  Example  of  data  burst  within  legacy  WiMAX  frame  (From  [20]). 


3.  Listen  for  MS  Joining  Network  and  Intercept  Connection  ID 
(CID)  if  Subject  of  Interest  is  Unicast  Message 

In  the  case  of  legacy  systems,  the  IS  can  listen  for  the  CID  issued  by  the 
BS  to  a  joining  MS  through  the  relevant  field  within  the  RNG-RSP  MAC 
management  message  sent  from  the  BS  to  the  MS  as  part  of  its  joining  process. 
The  CID  is  important  to  identify  the  source  and  destination  of  messages,  as  well 
as  to  know  which  burst  to  target.  For  broadcast  messages  within  both  IEEE 
802.16m-201 1  and  legacy  systems,  STID  or  CID  is  not  required. 
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4.  Acquire  and  Monitor  ARQ  Parameters  and  Numbers 

Besides  other  parameters,  the  ARQ  parameters  in  use  are  important;  they 
allow  the  intruding  system  (IS)  to  properly  formulate  injected  messages  to  ensure 
they  are  contextualized.  The  ARQ  sequence  number  for  each  CID  or  broadcast 
message  that  we  have  an  interest  in  needs  to  be  tracked  so  that  the  sequence 
number  in  our  injected  message  is  acceptable. 

C.  PURPOSE  OF  RANGING  AND  CHALLENGES  OF  INJECTING 

MESSAGES  WITHIN  TDMA  SYSTEMS 

1.  Ranging  in  TDMA  Systems 

Timing  and  burst  allocation  within  the  WiMAX  frame  is  specifically 
assigned  to  each  AMS  within  the  UL-MAP  and  DL-MAP  or  assignment  A-MAP. 
These  timings  are  with  reference  to  the  ABS.  This  essentially  means  the  timings 
meant  for  the  commencement  of  transmission  and  reception  are  from  the 
viewpoint  of  the  ABS.  For  the  downlink  transmission,  this  means  that  propagation 
delays  occur  before  reception  at  the  AMS.  The  length  of  propagation  delay  is 
dependent  on  the  distance  of  the  AMS  from  the  ABS.  The  AMS  can  achieve 
downlink  synchronization  through  the  pre-amble.  Similarly,  for  the  uplink, 
propagation  delays  occur  between  the  time  the  AMS  starts  transmitting  to  the 
time  the  signal  arrives  at  ABS.  This  arrival  time  needs  to  be  referenced  to  the 
ABS’s  timing.  To  achieve  this,  the  AMS  needs  to  advance  the  start  of 
transmission  by  a  period  equivalent  to  the  propagation  delay.  Ranging  is  the 
process  of  ascertaining  as  well  as  fine-tuning  timing  adjustment.  The  schematic 
explaining  the  need  for  timing  adjustment  is  illustrated  in  Figure  38.  The  section 
on  the  left  depicts  a  scenario  without  timing  adjustment,  while  the  section  on  the 
right  shows  how  timing  adjustment  enables  the  frame  transmitted  by  the  MS  to 
arrive  at  the  expected  timing  at  the  BS. 
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Figure  38.  Ranging  and  timing  adjust  (From  [21]). 


2.  Challenges  of  Injecting  Messages 

The  challenge  of  injecting  messages  within  a  TDMA  system  lies  in 
establishing  the  correct  timing  adjustment  to  commence  transmission  at  our  IS  to 
ensure  that  the  signal  arrives  at  the  intended  slot  allocated  for  the  ABS  or  AMS. 
As  a  perpetuator,  although  we  may  be  able  to  perform  ranging  to  obtain  a  timing 
adjust  for  uplink  attacks,  we  will  not  have  the  benefit  of  ranging  for  downlink 
attacks  involving  another  AMS.  If  the  location  of  the  AMS  we  are  targeting  is 
unknown,  the  challenge  is  even  greater.  Existing  literature  either  assumes  that 
this  can  be  done  or  acknowledges  the  challenges  without  discussing  solutions. 
To  have  some  certainty  that  the  proposed  MAC  message  based  attacks  can 
work,  a  series  of  possible  measures  to  overcome  these  timing  requirements  are 
proposed  for  different  scenarios. 
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D. 


INSERTION  OF  MAC  CONTROL  MESSAGES 


1.  From  Mobile  Station  to  Base  Station 


This  scenario  is  for  the  case  when  we  attempt  to  spoof  a  MAC  message 
from  an  AMS  to  ABS  on  the  uplink.  For  the  case  of  IEEE  802.16m-201 1 ,  unless 
the  STID  and  MAPMask  seed  constraints  discussed  earlier  can  be  overcome,  the 


unicast  UL-MAP  cannot  be  read  from  the  assignment  A-MAP,  and  the  message 
cannot  be  inserted.  Although  broadcast  A-MAP  can  still  be  read,  there  is  no 
broadcast  traffic  for  uplink.  A  schematic  of  the  scenario  is  provided  in  Figure  39. 
In  this  example,  the  MS  need  to  advance  transmission  timing  by  4us  for  the 
packet  to  reach  the  BS  at  the  expected  timing.  As  the  IS  is  farther  away  from  the 
BS,  it  needs  to  advance  the  transmission  of  its  spoofed  packet  by  5us  to  ensure 
it  can  arrive  at  the  expected  time. 


IS  needs  to  advance 
TX  timing  by  timing 
adjust  figure 

A  stronger  signal 
from  IS  arrives  at  the 
BS  at  the  same  time 
as  the  real  MS  at 
beginning  of  burst 


Figure  39.  Schematic  and  example  of  AMS  to  ABS  scenario. 


a.  Locate  Target  Uplink  Burst  from  UL-MAP 

The  IS  first  needs  to  ascertain  the  uplink  burst  location  that  is 
allocated  to  the  AMS  by  the  ABS  for  the  current  frame.  In  the  case  of  legacy 
systems,  this  can  be  done  by  scanning  the  UL-MAP  and  looking  for  CIDs 
associated  with  the  targeted  AMS  to  determine  the  allocated  transmission  slots. 
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b.  Establish  Uplink  Timing  Adjustment  through  Initial 
Ranging 

Once  the  target  timing  is  ascertained,  the  IS  needs  to  advance  the 
transmission  timing  equivalent  to  the  propagation  delay  between  the  IS  and  BS. 
In  order  to  know  how  much  to  advance,  the  IS  can  perform  an  initial  ranging  (just 
as  a  normal  AMS  does  to  join  the  network)  with  the  ABS.  It  does  so  by  issuing  an 
AAI-RNG-REQ  (RNG-REQ  for  legacy  systems)  management  message  to  the 
ABS  on  the  ranging  contention  channel.  The  ABS  performs  measurements  on 
the  received  signals  and  responds  with  timing  and  power  adjust  figures  in  AAI- 
RNG-ACK.  The  initial  ranging  process  is  shown  in  Figure  40.  An  equivalent 
process  exists  for  legacy  systems,  with  CID  issued  instead  of  STID/TSTID. 


AMS 


ABS 


AMS  DL  Synchronization 

-AAI_RNG-REQ  (AMSID*) 
— AAI_RNG-RSP  (TSTID) 


AMS  Authentication  Authorization  Phase  ' 


Key  Agreement  ) 

-AAI  REG-REQ  (AMSID)  _ j 

— AAI_REG-RSP  (STID)  - 


further  message  data  transactions 


Figure  40.  Network  entry  process  with  initial  ranging  (from  [15]  section 

16.2.5.3.2). 


c.  Transmit  Injected  MA  C  MSG 

The  IS  can  then  formulate  the  MAC  management  message, 
encapsulate  it  with  a  generic  MAC  header  (GMH)  and  CRC  at  the  tail  (optional) 
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to  form  a  MAC  management  frame,  and  transmit  it  with  a  timing  adjustment  so 
that  it  will  arrive  at  the  same  slot  as  the  burst  destined  for  the  targeted  AMS.  The 
injected  MAC  frame  has  to  commence  at  the  very  beginning  of  the  traffic  burst. 
This  is  preferred  to  injecting  into  the  middle  of  a  burst  as  to  do  that,  the  attack 
must  know  the  contents  of  the  burst  before  and  after  the  injected  symbols.  To 
ensure  that  our  signal  can  drown  out  that  of  the  targeted  AMS  at  the  ABS,  the  IS 
has  to  transmit  at  a  power  higher  than  the  resultant  figure  after  incorporating  the 
power  adjustment  figure  from  ABS.  The  transmit  power  level  is  discussed  in  a 
subsequent  section. 

d.  Verify  Effectiveness  of  Attack 

The  IS  can  then  monitor  traffic  from  the  ABS  and  AMS  to  determine 
if  the  attack  was  successful. 

e.  ARQ  Considerations 

The  implications  of  the  ARQ  mode  as  well  as  parameters  in-force 
have  to  be  considered  when  formulating  the  MAC  message  and  encapsulating 
frame.  Assuming  the  timing  is  correct  and  the  frame  is  decoded  at  the  ABS,  in 
order  for  the  MAC  management  message  to  be  accepted,  we  have  to  meet  ARQ 
conditions.  This  means  that  CRC  checks  have  to  pass  and  that  the  whole  ARQ 
block  containing  our  MAC  management  message  has  to  be  assessed  by  the 
ABS  as  intact.  Otherwise,  this  frame  could  be  discarded  and  a  retransmit  request 
sent  out  to  the  targeted  MS.  At  some  point  after  we  stop  our  transmission  and  the 
signal  from  targeted  AMS  starts  to  be  received  by  the  ABS,  CRC  will  fail  and  the 
ARQ  will  trigger,  but  this  failed  block  must  not  contain  our  MAC  management 
message.  This  essentially  means  that  our  injected  message(s)  and  frame  have  to 
be  sufficiently  long  (See  Figure  41).  The  ARQ  sequence  number  also  needs  to 
continue  from  the  last  sequence  number  used  during  the  previous  burst. 
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Figure  41 .  Ensuring  injected  content  span  across  ARQ  block. 

f.  Transmit  Power 

Due  to  the  TDMA  nature  of  WiMAX,  our  injected  MAC  message 
has  to  arrive  at  the  victim’s  location  at  approximately  the  same  time  as  the 
genuine  signal.  For  our  signal  to  override  the  genuine  one,  our  signal  strength 
needs  to  be  higher.  With  power  adjustment  results  obtained  from  the  ranging 
process,  the  IS  will  know  what  transmission  power  to  use  to  result  in  a  nominal 
signal  power  at  the  ABS.  This  is  computed  by  applying  the  power  adjust  figure 
(PAdjust)  to  the  power  transmitted  (PTX)  for  the  ranging  (PinitiaLRanging)-  It  is  further 
proposed  that  an  overpower  gain  (GOVerPower)  dependent  on  the  modulation 
scheme  be  applied  to  transmission  power.  This  overpowering  gain  is  set 
according  to  the  signal-to-noise  ratio  (SNR)  requirement  of  the  respective 
modulation  scheme.  The  above  computations  are  defined  by 

Prx(dB)  —  Plnitial_Ranging  +  P Adjust+  G overpower-  (1  ) 

The  net  effect  that  we  desire  to  achieve  is  to  force  the  victim’s 
automatic  gain  control  to  reduce  gain  and  render  genuine  AMS’s  transmission  to 
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appear  as  noise  in  comparison  to  our  signal  while  meeting  requirements  for  SNR 
for  the  modulation  scheme  in  use. 

2.  From  Base  Station  to  Mobile  Station 

This  scenario  is  for  the  case  where  we  attempt  to  spoof  a  MAC  message 
from  an  ABS  to  AMS  on  the  downlink.  For  the  case  of  IEEE  802.16m-201 1 , 
unless  the  STID  and  MAPMask  seed  constraints  as  discussed  earlier  can  be 
overcome,  the  unicast  UL-MAP  cannot  be  read  from  the  assignment  A-MAP  and 
the  message  cannot  be  inserted.  Broadcast  A-MAP  can  still  be  read,  and 
broadcast  traffic  can  apply  for  downlink.  The  same  basic  principles  and 
challenges  from  AMS  to  ABS  scenario  apply  for  the  ABS  to  AMS  scenario,  but 
additional  challenges  emerge.  In  the  previous  scenario,  signal  injection  was  from 
IS  to  ABS,  whereas  in  this  scenario,  our  IS  needs  to  inject  signals  to  an  AMS  that 
is  mobile,  and  its  location  may  be  unknown.  To  make  matters  worse,  ranging 
cannot  be  carried  out  to  ascertain  distance  and  propagation  delay,  or  power.  The 
following  discussion  is  set  for  two  sub-scenarios:  MS  location  known  and  MS 
location  unknown. 


a.  Mobile  Station  Location  Known 

If  the  location  of  the  mobile  station  that  we  plan  to  inject  a  message 
into  is  known,  the  timing  adjustment  required  can  be  accurately  estimated.  A 
schematic  of  an  ABS  to  AMS  scenario  with  AMS  position  known  is  provided  in 
Figure  42,  which  incorporates  an  example  of  how  the  location  can  be  used  to 
translate  into  propagation  timings  and  how  timing  adjustments  can  be  formulated. 

i.  Locate  Targeted  Downlink  Burst  from  DL-MAP.  The 
IS  first  needs  to  ascertain  the  downlink  burst  location  allocated  by  the  ABS  to 
transmit  to  AMS  for  the  current  frame.  This  can  be  done  by  scanning  the 
assignment  A-MAP  or  DL-MAP  for  slots  allocated  for  the  ABS  to  transmit  to 
targeted  AMS. 
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Figure  42.  Schematic  and  example  of  ABS  to  AMS  scenario. 

ii.  Compute  Downlink  Timing  Adjust.  Once  the  targeted 
timing  with  reference  to  ABS  is  ascertained,  the  IS  needs  to  advance  or  delay 
transmission  timing.  The  IS  can  compute  a  timing  adjustment  by  computing  the 
distance  between  ABS  and  AMS  and  between  IS  and  AMS.  The  difference  in 
distance,  converted  to  the  corresponding  timing,  is  the  timing  adjustment. 

iii.  Transmit  Injected  MAC  MSG.  The  IS  can  then 
formulate  the  MAC  management  message,  encapsulate  it  with  a  GMH  and  CRC 
at  the  tail  (optional)  to  form  a  MAC  management  frame,  and  transmit  it  with 
timing  adjustment  so  that  it  arrives  at  the  slot  destined  for  the  targeted  AMS.  The 
injected  MAC  frame  has  to  commence  at  the  very  beginning  of  the  traffic  burst. 
This  is  to  minimize  the  amount  of  context  that  we  need  to  deal  with  if  we  inject 
mid-frame. 


60 


iv.  Verify  Effectiveness  of  Attack.  The  IS  can  then 
monitor  traffic  from  the  ABS  and  AMS  to  determine  if  the  attack  was  successful. 

v.  ARQ  Considerations.  The  implications  of  the  ARQ 
mode  and  parameters  in  force  have  to  be  considered  when  formulating  the  MAC 
message  and  encapsulating  frame.  Assuming  the  timing  is  correct  and  the  frame 
is  decoded  at  the  AMS,  for  the  MAC  management  message  to  be  accepted,  we 
have  to  meet  ARQ  conditions.  This  means  that  CRC  checks  have  to  pass  and 
that  the  whole  ARQ  block  containing  our  MAC  management  message  has  to  be 
assessed  by  the  AMS  as  intact.  Otherwise,  this  frame  could  be  discarded  and  a 
retransmit  request  sent  out  to  the  ABS.  At  some  point  after  we  stop  our 
transmission  and  the  signal  from  ABS  starts  to  be  received  by  the  AMS,  CRC  will 
fail  and  ARQ  will  trigger,  but  this  failed  block  must  not  contain  our  MAC 
management  message.  This  essentially  means  that  our  injected  message(s)  and 
frame  have  to  be  sufficiently  long.  The  ARQ  sequence  number  also  needs  to 
continue  from  the  last  sequence  number  used  during  the  previous  burst. 

vi.  Uncertainty  Analysis.  As  no  ranging  was  performed, 
the  timing  adjustment  is  worked  out  using  the  GPS  coordinates  of  the  ABS,  IS, 
and  AMS.  These  position  estimates  have  their  own  tolerances.  Hence,  an 
analysis  is  carried  out  to  confirm  timing  margins  and  the  feasibility  of  success. 
For  a  commonly  adopted  configuration,  the  OFDMA  symbol  duration  is  91.4  us, 
preceded  with  a  guard  interval  (ta)  of  1 1.4  us,  padded  with  a  cyclic  prefix.  Timing 
uncertainties  in  this  situation  are  tabulated  in  Table  10. 
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Table  10.  Timing  uncertainty  computation 


Factor 

Uncertainty 

terror 

BS  GPS  Position  Uncertainty 

5m 

16.7ns 

MS  GPS  Position 
Uncertainty 

5m 

16.7ns 

IS  GPS  Position  Uncertainty 

5m 

16.7ns 

Max  Position  Uncertainty 

50.1ns 

Channel  Spread  (Max) 

4us 

Total  Uncertainty 

4.05us 

Guard  Interval 

11.4us 

Margin 

7.35us 

As  seen  from  the  computation,  after  taking  into  account  the 
positional  uncertainty  (from  the  GPS  position  uncertainty  [22])  of  the  ABS,  AMS, 
and  IS,  as  well  as  the  channel  spread,  we  have  a  margin  of  7.35  us  (see  Figure 
43).  Hence,  a  foreseeable  timing  error  of  a  frame  injection  at  the  beginning  of  a 
burst  is  not  major  factor  as  this  error  is  less  than  the  difference  between  the 
maximum  delay  spread  and  the  guard  interval. 
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Figure  43.  Illustration  of  timing  uncertainty  vs  guard  interval. 

vii.  Transmission  Power.  Due  to  the  TDMA  nature  of 
WiMAX,  our  injected  MAC  message  has  to  arrive  at  the  victim’s  location  at 
approximately  the  same  time  as  the  genuine  signal.  For  our  signal  to  override  the 
genuine  one,  its  signal  strength  needs  to  be  higher.  The  approach  taken  to 
estimate  the  transmission  power  for  this  scenario  is  different.  The  IS  will  measure 
incident  power  from  the  ABS  (PABS(incident))-  With  the  distance  from  the  ABS  to  IS 
known,  the  path  loss  (LAbs-is)  can  be  estimated,  and  hence,  transmission  power 
for  the  ABS  can  be  estimated.  Likewise,  with  the  distance  from  the  ABS  to  the 
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AMS  known,  path  loss  (LAbs-ams)  can  be  estimated.  Hence,  the  estimated 
transmission  power  by  the  ABS  incident  upon  the  targeted  AMS  can  be  obtained. 
Next,  the  path  loss  between  the  IS  and  AMS  (L|S-ams)  needs  to  be  factored  in.  It  is 
also  proposed  that  an  overpower  gain  (GOVerpower)  which  is  dependent  on  the 
modulation  scheme  be  applied  to  the  transmission  power.  This  overpower  gain  is 
set  according  to  the  SNR  requirement  of  the  respective  modulation  scheme. 
Hence,  the  proposed  transmission  power  is  computed  according  to 

Prx(dB)  ~  P ABS(incident)  +  LabS-IS  ~  LabS-AMS  +  L/s-AMS  +  G overpower-  (2) 

The  desired  net  effect  of  the  proposed  transmission  power  is 
to  force  the  victim’s  automatic  gain  control  to  reduce  gain  and  render  the  genuine 
source’s  transmission  to  appear  as  noise  in  comparison  to  our  signal  while 
meeting  the  SNR  requirements  for  the  modulation  scheme  in  use. 

b.  Mobile  Station  Location  Unknown 

If  the  location  of  the  mobile  station  that  we  plan  to  inject  a  message 
into  is  unknown,  we  can  attempt  transmission  of  the  injected  message  over 
multiple  attempts  over  a  selected  range  which  is  bounded  by  the  cell  dimension. 
A  schematic  showing  an  ABS-to-AMS  scenario  with  MS  position  unknown  and 
cell  size  of  5  km  is  provided  in  Figure  44.  As  shown  in  the  figure,  there  are  two 
extreme  scenarios  in  terms  of  the  distance  from  the  AMS  to  IS.  The  AMS  and  IS 
could  be  at  the  edge  of  the  cell  (far  case)  or  right  next  to  each  other  (near  case). 

i.  Locate  Target  Downlink  Burst  from  DL-MAP.  The  IS 
first  needs  to  ascertain  the  downlink  burst  location  allocated  by  the  ABS  to 
transmit  to  the  AMS  for  the  current  frame.  This  can  be  done  by  scanning  the 
assignment  A-MAP  or  DL-MAP  for  slots  allocated  for  the  ABS  to  transmit  to  the 
targeted  AMS. 
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Figure  44.  Example  illustrating  a  scenario  of  injection  to  MS  with  unknown 

position. 

ii.  Compute  Downlink  Timing  Adjust.  Once  the  target 
timing  is  ascertained,  the  IS  needs  to  compute  the  possible  ranges  for  the  timing 
adjust  to  attempt.  Let  tpr0p(max)  be  the  propagation  delay  for  the  worst  case 
whereby  the  IS  and  AMS  are  at  the  extreme  ends  of  the  cell  (far  case  in  Figure 
44).  For  the  far  case,  the  timing  needs  to  be  advanced  by  half  of  tprop(max)-  This 
ensures  that  the  injected  signal  has  sufficient  time  to  propagate  across  the  cell 
and  arrive  at  the  AMS  at  approximately  the  same  time  as  the  signal  from  ABS. 
For  the  near  case,  the  timing  needs  to  be  delayed  by  half  of  tprop(max).  This  is 
because  the  signal  transmitted  to  the  AMS  takes  that  length  of  time  to  propagate 
to  the  edge  of  the  cell.  For  different  positioning  of  the  AMS  and  IS,  the  timing 
adjustment  will  vary  between  the  two  extreme  cases  (far  and  near  cases)  For 
different  positioning  of  the  AMS  and  IS,  the  timing  adjustments  will  vary  between 
the  two  extreme  cases.  The  above  concepts  are  illustrated  in  Figure  45. 
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Figure  45.  Illustration  of  implication  of  unknown  AMS  location  on  transmit 

timing. 


Once  the  range  of  possible  timings  has  been  computed,  the 

next  step  is  to  divide  the  range  into  intervals  with  each  interval  being  tGi/2  where 

tci  is  the  duration  of  the  guard  interval.  How  the  possible  timing  range  and 

intervals  can  be  selected  around  the  expected  timing  of  the  burst 

commencement  is  illustrated  in  Figure  46.  This  expected  timing  should  be 

referenced  to  the  BS  (timing  at  IS  minus  propagation  delay  from  ABS  to  IS).  The 

central  idea  is  to  attempt  injection  at  different  times  within  the  range,  selecting 

one  interval  per  frame  until  the  timing  falls  within  the  actual  guard  interval  and  the 

MAC  message  is  accepted.  An  interval  of  tGi/2  ensures  that  the  IS  will  not 

inadvertently  skip  over  the  actual  guard  band.  The  IS  can  measure  the  incident 

power  of  pilot  carriers  from  the  targeted  AMS.  From  the  measured  power,  it  can 
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estimate  the  distance  of  AMS  from  IS  by  assuming  path  loss  using  the  free- 
space  model.  With  this  estimated  distance,  the  IS  can  select  a  better  timing 
interval  to  begin  the  message  injection.  This  should  improve  the  probability  of 
early  success. 


tprop(max) 


Expected  burst 

commencement  based  on 

IS  -  Tpropin 


Figure  46.  Example  of  MAC  message  injection  plan. 


iii.  Transmit  Injected  MAC  MSG.  The  IS  can  then 
formulate  the  MAC  management  message,  encapsulate  it  with  a  GMH  and  CRC 
at  the  tail  (optional)  to  form  a  MAC  management  frame,  and  transmit  it  with  a 
timing  adjustment  so  that  it  arrives  at  the  same  slot  destined  for  the  targeted 
AMS.  The  injected  MAC  frame  has  to  commence  at  the  very  beginning  of  the 
traffic  burst.  This  is  to  minimize  the  amount  of  context  we  will  need  to  deal  with  if 
we  inject  mid-frame. 


iv.  Verify  Effectiveness  of  Attack.  After  the  attempted 
injection  of  a  MAC  message  at  one  of  the  intervals  within  the  range,  the  IS  can 
monitor  traffic  from  the  ABS  and  AMS  during  the  next  frame  to  determine  if  the 
attack  was  successful. 
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v.  ARQ  Considerations.  As  in  the  above  scenarios,  the 
implications  of  the  ARQ  mode  and  the  parameters  in-force  have  to  be  considered 
when  formulating  the  MAC  message  and  encapsulating  frame.  Assuming  the 
timing  is  correct  and  the  frame  is  decoded  at  the  victim,  for  the  MAC 
management  message  to  be  accepted,  we  have  to  meet  ARQ  conditions.  This 
means  that  CRC  checks  have  to  pass  and  that  the  whole  ARQ  block  containing 
our  MAC  management  message  has  to  be  assessed  by  the  victim  as  intact. 
Otherwise,  this  frame  could  be  discarded  and  a  retransmit  request  sent  out  to  the 
source.  At  some  point  after  we  stop  our  transmission  and  the  signal  from  the 
source  starts  to  be  received  by  the  victim,  the  CRC  will  fail  and  the  ARQ  will 
trigger,  but  this  failed  block  must  not  contain  our  MAC  management  message. 
This  essentially  means  that  our  injected  message(s)  and  frame  have  to  be 
sufficiently  long.  The  ARQ  sequence  number  also  needs  to  continue  from  the  last 
sequence  number  used  during  the  previous  burst. 

vi.  Transmission  Power.  Due  to  the  TDMA  nature  of 
WiMAX,  our  injected  MAC  message  has  to  arrive  at  the  victim’s  location  at 
approximately  the  same  time  as  the  genuine  signal.  For  our  signal  to  override  the 
genuine  one,  our  signal  strength  needs  to  be  higher.  The  approach  taken  to 
estimate  the  transmission  power  for  this  scenario  is  different,  as  the  distances 
between  AMS  and  IS  and  between  ABS  and  AMS  are  unknown.  In  this  case,  the 
path  loss  between  the  IS  and  targeted  AMS  (L|S-ams)  is  estimated  since  the 
distance  is  unknown.  The  distance  between  the  ABS  and  IS  as  well  as  the 
incident  ABS  power  (PABS(inddent))  measured  at  the  IS  are  used  to  estimate  the 
transmission  power  of  the  ABS.  Since  the  distance  between  the  ABS  and  AMS  is 
unknown,  the  worst  case  is  assumed  where  the  AMS  is  co-located  with  ABS. 
Therefore,  full  ABS  transmission  power  is  incident  upon  the  AMS  (where  the 
Labs-ams  term  in  Equation  (2)  is  zero  in  this  scenario).  Thus,  the  ABS 
transmission  power,  together  with  the  path  loss  associated  with  the  timing 
currently  being  attempted,  is  used  to  compute  the  IS  transmission  power  (Pyx).  It 
is  also  proposed  that  an  overpower  gain  (GOVerpower),  which  is  dependent  on  the 
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modulation  scheme  in-use,  be  applied  to  the  transmission  power.  This  overpower 
gain  is  set  according  to  the  SNR  requirement  of  the  respective  modulation 
scheme.  The  proposed  transmission  power  is  calculated  according  to  the 
following: 

Ptx  (dB)  ~  P ABS(incident)  +  LabS-IS  +  L/s-AMS  +  Goverpower-  (3) 

The  desired  net  effect  of  the  proposed  transmission  power  is 
to  force  the  victim’s  automatic  gain  control  to  reduce  gain  and  render  the  genuine 
source’s  transmission  to  appear  as  noise  in  comparison  to  our  signal  while 
meeting  the  SNR  requirement  of  the  modulation  scheme  in  use. 
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V.  ATTACKS  BASED  ON  MANIPULATION  OF  UPLINK 
TRANSMISSION  POWER  WITH  IEEE  802.16M-2011 


A.  BACKGROUND 

Having  proposed  the  means  to  inject  MAC  management  messages,  we 
proceed  to  discuss  a  class  of  attack  which  involves  the  injection  of  messages  to 
manipulate  the  uplink  power  control  of  AMSs  within  a  WiMAX  cell.  Proper  power 
management  is  vital  to  the  correct  operation  of  a  WiMAX  cell.  Low  transmission 
power  results  in  high  bit  error  rates  or  no  reception.  Excessively  high 
transmission  power  also  results  in  interference  to  nearby  cells  using  the  same  set 
of  frequencies.  Both  effects  are  disruptive  to  the  targeted  network’s  operations. 
Depending  on  the  selected  attack  vectors,  the  effects  could  be  surgical  and 
covert,  targeting  a  single  AMS,  or  blanket,  disrupting  all  nodes  within  a  cell.  IEEE 
802.16m-2011  power  related  attacks  are  addressed  in  this  chapter.  Those  for 
legacy  systems  are  addressed  in  a  later  chapter. 

B.  UPLINK  POWER  CONTROL 

Overall  network  uplink  power  control  can  be  summarized  from  [15]  section 
16.3.8.4  in  Figure  47. 

In  Figure  47,  there  are  three  stages  in  uplink  power  control,  initial  network 
entry,  normal  network  operations,  and  handover.  In  the  following  subsections,  an 
overview  of  their  functionalities  is  given  which  provide  the  background  to 
understanding  the  attack  methodologies  presented  in  the  later  chapters  of  this 
thesis. 
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Figure  47.  Summary  of  uplink  power  control. 


1.  Power  Control  during  Initial  Ranging 

As  discussed  previously,  an  AMS  attempting  to  join  a  network  first 
performs  downlink  synchronization,  which  includes  reading  system  parameters 
from  the  preamble,  superframe  headers,  assignment  A-MAPs,  or  UL-MAP  and 
DL-MAP.  The  AMS  then  attempts  to  perform  uplink  synchronization,  which 
includes  initial  ranging.  The  received  signal  strength  (RSS)  from  ABS  is  first 
measured,  and  this  figure  is  added  to  EIRxP|R,min  and  BS_EIRP,  which  are 
parameters  present  in  SS-SFH  SP2  and  SP1,  to  obtain  the  initial  transmission 
power  that  the  AMS  will  use  to  transmit  the  initial  ranging  preamble  to  the  ABS. 
This  initial  transmission  power  is  calculated  from 

=  EIRxPI amh  -  BS  _  E1RP  -  RSS  .  (4) 
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Should  the  ranging  operation  be  successful,  the  ABS  provides  power 
adjustment  figures  to  the  AMS  through  the  power  level  adjustment  (or  Prng-ack) 
parameter  within  the  AAI-RNG-ACK  MAC  management  message.  After  N  times 
of  ramping  up  and  m  times  of  receiving  AAI-RNG-ACK,  the  final  initial  ranging 
transmission  power  (Ptx  iR  Finai)  is 


p  —  P  +  Nx  P  +  yp 

1  TX  IR  Final  1  TX  IR_M1N  T  1  v  ^  1  IR.Slep  T  ^  RNG-ACK<m) 

where  PiR.step  is  defined  in  IEEE  802.1 1m-2001  standard  as  2  dB. 
Hence,  Offsetinitiai  is  defined  as 

°ffSetmmal  =  PTX_IR_Final  ~  (L  +  SINR InMalRanging  + 

-10  log  10(RangingSubcarrierNum ) 


(5) 


(6) 


where  L  is  the  estimated  average  DL  propagation  loss  calculated  by  AMS;  Nl  is 
the  estimated  average  noise  and  interference  power  per  subcarrier  at  ABS  as 
indicated  by  AAI-ULPC-NI  message;  and  SINR,mtiaiRangmg is  defined  as 

SINRInitiaiRanging=  offsetControI  +  targetlnitialRangingSinr  (7) 

where  offsetControI  is  obtained  from  A-MAP  Information  Element  (IE)  and 
targetlnitialRangingSinr  is  defined  in  Table  946  in  IEEE  802.16m-201 1  standard. 

2.  Power  Control  during  Network  Entry  and  Normal  Operations 

After  completion  of  initial  ranging,  Nl  and  offsetControI  are  set  as 
instructed  by  ABS  through  A-MAP.  Other  UL  power  control  parameters  are  set  to 
defaults  as  defined  in  Table  947  in  IEEE  802.16m-201 1  standard. 

During  normal  operations,  UL  transmission  power  level  is  controlled  by 


PT  —  PL  +  SINRTgt  +  PNI  +  'offset 


(8) 


where  PL,  SINRTgt,  Pni  and  P0ffset  are  defined  and  illustrated  in  Figure  48. 


71 


Figure  48.  Equation  for  MS  uplink  transmission  power. 


While  this  general  equation  holds  true,  different  sets  of  P0ffSet  and  SINRTgt 
values  exist  for  different  channels  (e.g.  control,  data,  and  ranging  channels). 

There  are  two  types  of  P0ffset  that  are  controlled  by  the  ABS  through  the 
AAI-UL-POWER-ADJUST  message:  Offsetcontroi  and  Offset  Data-  The  Offsetcontroi 
parameter  governs  the  control  channels  and  is  defined  as 

Offsetcontroi  =  Offset/nitiai  (discussed  in  previous  section)  +  OffsetControi 
(parameter  in  AAI-UL-POWER-ADJUST  message)  (9) 


while  the  Offsetoata  parameter  is  used  for  data  channels  and  is  defined  as 
Offset  Data  ~  Offsetinitial- 


There  are  two  types  of  SINRtgt,  one  governs  the  control  channels  and  is 
supplied  by  the  ABS  through  the  AAI-SCD  message,  and  the  other  one  governs 
the  data  channels  values  and  is  defined  in  by 

SINRtgt  =mog[max(SINRmm,ySIRDL  -a)]-/?101og(«s;reaJ  (10) 

where  SINRtgt,  SINRmin,  y ,  SIRDl,  and  a  are  defined  and  illustrated  in 
Figure  49.  The  fJ  value  is  a  masking  parameter  set  to  zero  or  one  for  excluding 
or  including  the  effects  of  nsfream  where  nstream  is  the  number  of  streams  in  the 
logical  resource  unit  that  is  signaled  by  the  uplink  A-MAP. 
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Figure  49.  Equation  for  SINRtgt  in  uplink  transmission  power. 


3.  Power  Control  during  Handover 

During  handover  of  an  AMS  from  cell  to  cell,  an  AAI-HO-CMD  message  is 
received  by  the  AMS.  Within  the  message,  the  CDMA_RNG_FLAG  indicates  if  it 
is  necessary  to  conduct  ranging.  If  CDMA_RNG_FLAG  =  0,  offsetData  and 
offsetControl  are  provided  within  the  message. 

C.  MANIPULATION  OF  POWER  CONTROL 

In  the  following  subsections,  possible  approaches  to  manipulate  the  uplink 
transmit  power  of  AMSs  are  discussed. 

1.  Manipulate  PNi  for  Entire  Cell  Through  AAI-ULPC-NI 

To  reiterate,  the  transmission  power  at  the  AMS  is  governed  by 
Equation  (8). 

One  possible  attack  of  uplink  power  management  is  to  inject  an  AAI- 
ULPC-NI  message  with  a  small  or  large  Nl  value.  If  a  low  value  is  injected,  the 
SNR  at  ABS  drops.  Should  the  drop  be  large  enough  to  cause  the  SNR  to  fall 
below  the  requirement  for  the  modulation  scheme  in  use,  the  bit  error  rate 
increases  or  reception  may  be  eliminated  altogether.  If  a  large  Nl  value  is 
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injected,  the  large  signal  strength  may  increase  interference  with  cells  in  the 
vicinity  using  the  same  frequencies. 

Although  a  single  strong  emission  may  not  be  a  major  problem  for  other 
cells,  bear  in  mind  that  this  message  is  broadcast  and  all  AMSs  within  the  cell 
may  be  affected  under  the  right  conditions,  thus,  greatly  multiplying  the  effect. 
The  parameter  Nl  is  defined  as 

Nl  =  PTN+  loT  +  10log10(Af)  (11) 

where  PTN  is  the  thermal  noise  power  density  at  zero  Celsius,  which  has  a  value 
of  -174.2  dBm,  and  Af  is  the  subcarrier  spacing  (Hz),  and  loT  corresponds  to 
gammalotFpO,  which  is  defined  in  Table  1 1 . 

To  change  the  power,  the  gammalotFpO  field  within  AAI-ULPC-NI  can  be 
modified;  it  can  be  varied  from  0  to  63.5  dB  in  0.5  dB  steps,  which  represent  a 
dynamic  range  of  2.23x1 06.  Details  on  this  field  are  provided  in  Table  11.  Both 
control  and  data  channels  are  affected  by  this  manipulation. 


Table  1 1 .  gammalotFp  parameter  within  AAI-ULPC-NI. 


Field 

Size 

Value/Description 

gammalotFpO 

7 

loT  value  of  Frequency  Partition  #0,  quantized  in  0.5  dB  steps  as 
loT  level  from  0  dB  to  63.5  dB. 

AAI-ULPC-NI  is  a  broadcast  message,  and  all  AMSs  within  the  cell  served 
by  the  ABS  may  be  affected.  Although  all  AMSs  can  potentially  be  affected,  the 
timing  adjustment  from  the  IS  to  individual  AMS  also  needs  to  be  correct  for  the 
AMS  to  take  in  the  broadcast  correctly.  The  challenges  brought  about  by 
differences  in  timing  precipitated  by  the  distance  between  the  IS  and  ABS  are 
illustrated  in  Figure  50.  A  broadcast  signal  (by  IS)  reaches  AMSs  over  different 
locations  at  different  times  from  a  broadcast  signal  sent  from  the  real  ABS. 
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Near  Case 


Far  Case 


Tpropout=  Ous 


Figure  50.  Timing  differences  for  different  AMS  during  broadcast  message 

manipulation. 


This  might  mean  that  if  multiple  AMSs  within  the  cell  need  to  be  targeted, 
the  spoofed  message  may  need  to  be  sent  out  repeatedly  over  several  frames 
within  a  range  of  timing  adjustments.  Alternatively,  the  closer  the  IS  is  to  the 
ABS,  the  smaller  the  maximum  timing  difference  is.  It  is  estimated  that  if  the 
distance  between  the  ABS  and  IS  is  within  the  distance  equivalent  to  a 
propagation  delay  of  one  Cyclic  Prefix  (CP)  (i.e.,11.42  us,  which  is  equivalent  to 
3426  m),  no  timing  adjustment  is  needed  in  order  to  affect  all  AMSs  within  the 
whole  cell. 

2.  Manipulate  Potfset  For  Single  AMS  through  AAI-UL-POWER- 
ADJUST 

To  reiterate,  the  transmission  power  of  an  AMS  is  governed  by  Equation 
(8).  Another  possible  attack  of  uplink  power  management  is  to  inject  an  AAI-UL- 
POWER-ADJUST  message  with  a  low  or  high  offsetData  or  offsetControl  value. 
If  a  low  value  is  injected,  the  SNR  at  ABS  drops.  Should  the  drop  be  large 
enough  to  cause  the  SNR  to  fall  below  that  required  for  the  modulation  scheme, 
the  bit  error  rate  will  increase  or  reception  may  be  eliminated  altogether.  If  a  high 
offset  value  is  injected,  the  high  signal  strength  may  increase  interference  for 
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cells  in  the  vicinity  using  the  same  frequencies.  However,  since  this  is  a  unicast 
message,  only  one  AMS  is  affected  by  the  message  inject,  and  a  single  strong 
emission  may  not  be  a  major  problem  for  other  cells.  To  cause  a  larger  impact  on 
other  cells,  multiple  AMSs  may  need  to  be  manipulated  to  multiply  the  effect. 

The  offsetData  and  offsetControl  fields  in  the  AAI-UL-POWER-ADJUST 
message  can  be  varied  from  -15.5  to  16  dB  in  0.5  dB  steps,  which  represents  a 
dynamic  range  of  2.23x1 06.  Details  on  this  field  are  provided  in  Table  12. 


Table  12.  Offset  parameter  within  AAI-UL-POWER-ADJUST. 


Field 

Size 

Value/Description 

offsetData 

6 

offsetData  is  the  transmission  power  adjustment  value 
transmitted  by  the  ABS.  It  represents  the  value  among 
-15.5  to  16  dB  with  0.5  dB  step 

offsetControl 

6 

offsetControl  is  the  transmission  power  adjustment  value 
transmitted  by  the  ABS.  It  represents  the  value  among 
-15.5  to  16  dB  with  0.5  dB  step 

As  discussed  earlier,  AAI-UL-POWER-ADJUST  is  a  unicast  message  and 
only  a  single  AMS  will  be  affected  per  successful  message  injection.  Offset 
values  for  control  and  data  channels  can  be  individually  set,  meaning  that  the 
data  channel  can  be  selectively  targeted  while  leaving  the  control  channels 
alone.  This  approach  can  disrupt  network  operations  while  making  detection 
more  difficult,  as  the  affected  AMS  will  appear  to  be  functioning  normally, 
because  it  is  still  responding  to  on  the  control  channels. 

For  IEEE  802.16m,  challenges  still  exist.  Since  AAI-UL-POWER-ADJUST 
is  a  unicast  message,  its  A-MAP  is  scrambled  as  described  in  Sections  II.C.7  and 
II.B.1.  It  is  not  readily  accessible  unless  an  algorithm  is  developed  to  overcome 
the  scramble.  Hence,  injecting  an  AAI-UL-POWER-ADJUST  poses  a  significant 
challenge  as  of  now. 
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3.  Manipulate  SINRtgt 

To  reiterate,  transmission  power  at  the  AMS  is  governed  by  Equation  (8). 
Another  possible  attack  of  uplink  power  management  is  to  manipulate  SNRtgt  by 
injecting  an  AAI-SCD  message.  The  SINRtgt  parameter  is  defined  in  Equation 
(10).  Details  for  three  of  the  parameters  in  this  equation  are  provided  in  Table  13. 


Table  1 3.  Details  of  key  parameters  of  AAI-SCD. 


Field 

Size 

Value/Description 

gammalotFpO 

4 

gammalotFp  (loT)  is  the  fairness  and  loT  control  factor, 
broadcast  by  the  ABS.  It  has  4  bits  to  represent  the  value  among 
{0,  0.1,  0.2,  0.3,  0.4,  0.5,  0.6,  0.7,  0.8,  0.9,  1.0,  1.1,  1.2,  1.3,  1.4, 
1.5}.  It  is  different  for  each  frequency  partition  (FP0,  FP1,  FP2, 

FP3). 

Alpha 

3 

alpha  (a)  is  the  factor  according  to  the  number  of  receive 
antennas  at  the  ABS.  It  has  3  bits  to  express  {1,  1/2,  1/4,  1/8, 
1/16,  0,  reserved,  reserved} 

dataSinrMin 

4 

dataSinrMin  is  the  SINR  requirement  for  the  minimum  data  rate 
expected  by  ABS.  SINRmin_Data  has  4  bits  to  represent  the  value 
in  dB  among{-INF,  -3,  -2.5, -2,  -1.5,  -1,  -0.5,  0,  0.5,  1,  1.5,  2,  2.5, 

3,  3.5,  4} 

a.  Manipulating  dataSinrMin  through  AAI-SCD 

With  reference  to  Equation  (10),  it  is  possible  to  manipulate  SINRtgt 
by  spoofing  AAI-SCD  with  an  amended  dataSinrMin.  However,  due  to  the 
maximum  function  built  into  the  equation,  there  is  no  effect  if  the  other  term  is 
higher  than  the  new  dataSinrMin. 

b.  Manipulating  gammalotFpx  through  AAI-SCD 

With  reference  to  Equation  (10),  it  is  possible  to  manipulate  SINRtgt 
by  spoofing  AAI-SCD  with  an  amended  gammalotFpx.  However,  due  to  the 
maximum  function  built  into  the  equation,  there  is  no  effect  if  the  other  term  is 
higher  than  the  new  value. 
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c.  Manipulating  alpha  through  AAI-SCD 

With  reference  to  Equation  (10),  SINRtgt  can  be  manipulated  by 
amending  alpha  within  AAI-SCD.  However,  due  to  the  maximum  function  built 
into  the  equation,  there  is  no  effect  if  the  other  term  is  higher  than  the  new  value. 

4.  Holistic  Analysis  of  Power-Manipulation  Options 

A  summary  of  power-related  attacks  is  provided  in  Table  14.  The  analysis 
below  compares  the  three  key  attack  approaches: 

a.  Effect  of  Impact 

The  three  approaches  can  achieve  varying  degrees  of  dynamic 
range,  from  63.5  dB  for  Nl  within  AAI-ULPC-NI  to  a  factor  of  1 .5  for  gammalotFp 
in  AAI-SCD.  A  higher  dynamic  range  is  desirable  as  this  results  in  a  more 
pronounced  impact.  Comparisons  are  shown  in  the  Power  Control  Range  column 
in  Table  14.  From  the  perspective  of  maximum  impact,  the  approach  involving 
the  manipulation  of  Pni  is  the  most  desirable. 

b.  Ease  of  Attack 

Similarly,  the  three  approaches  have  varying  degrees  of  ease  of 
execution,  ranging  from  a  simple  and  short  MAC  management  message  injection 
(for  a  message  body  of  less  than  50  bits)  for  manipulating  Pni  within  the  AAI- 
ULPC-NI  message  to  a  moderately  long  (more  than  200  bits)  MAC  management 
message  modification  when  P0ffSet  is  manipulated  through  gammalotFp  in  AAI- 
SCD.  Longer  message  injection  require  reading  in  and  formulating  a  larger 
numbers  of  parameters,  thus,  increasing  complexity.  Aside  from  this,  the 
approach  for  manipulating  P0ffSet  also  involves  dependencies  where  manipulation 
of  one  single  parameter  is  not  sufficient  and  multiple  manipulations  need  to  be 
done  to  achieve  results.  Comparisons  of  the  three  approaches  are  shown  in  the 
“Length  of  Inject  MSG”,  and  “Execution  Dependencies”  columns  in  Table  14.  In 
addition,  the  current  challenges  associated  with  injecting  unicast  messages  make 
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the  option  of  manipulating  offsetData  and  offsetControl  parameters  difficult.  From 
the  perspective  of  ease  of  attack,  the  approach  involving  the  manipulation  of  Pni 
is  the  most  desirable. 

c.  Scope  of  Effects  and  Signature 

Attacks  manipulating  the  Nl  field  in  the  AAI-ULPC-NI  message 
results  in  a  widespread  impact  since  the  message  is  a  broadcast.  Either  all  AMSs 
within  the  cell  could  lose  communications  or  all  AMSs  will  transmit  at  excessively 
high  power,  causing  interference  to  neighboring  cells  using  the  same  set  of 
frequencies.  On  the  other  hand,  manipulating  Offset  is  a  surgical  attack  targeted 
at  one  AMS.  Hence,  depending  on  the  context  and  the  intent  of  the  attack,  both 
options  serve  different  needs.  Of  course,  the  surgical  option  is  subject  to 
overcoming  assignment  A-MAP  scrambling,  as  discussed  earlier. 
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Table  14.  Comparison  of  three  approaches  to  disrupt  uplink  power  control. 


S/N  Avenue 


What  is  involved 


Length  of 
Inject  MSG 


Power  Control 
Range 


Execution 

Dependencies 


Permanence 


Prefer 

ence 


Remarks 


1  Pn 


-  Compute  required 
"gammalotFpX"  using 
equation 

-  Alter  "gammalotFpX" 
parameters  in  AAI-ULPC- 
N I 


35  bits  not 
inc  hdr 


Oto  63.5  dB  in  128 
steps 


Nil 


39  bits  not 
inc  hdr 


-15.5 to  16 dB  in  0.5 
dB  steps 


Nil 


3.2 


3.3 


Alter  "dataSinrMin" 
parameter  in  AAI-SCD 


Alter  "gammalotFpX" 
(Interference  over 
Thermal  Control  Factor) 
in  AAI  SCD 


Alter  "alpha"  parameter 
in  AAI-SCD 


Favorable 


209  bits  not 
inc  hdr 


209  bits  not 
inc  hdr 


209  bits  not 
inc  hdr 


-  Overwritten  by  next  AAI 
ULPC-NI  (periodic) 

-  to  inject  spoofed 
messages  once  over¬ 
writing  MSG  from  ABS 
detected 


-  Overwritten  by  next  AAI 
UL-POWER-ADJUST 
(periodic) 

-  to  inject  spoofed 
messages  once  over¬ 
writing  MSG  from  ABS 
detected 


-  Overwritten  by  next  AAI 
SCD  (periodic) 

-  to  inject  spoofed 
messages  once  over¬ 
writing  MSG  from  ABS 
detected 


As  AAI-ULPC-NI  is 
a  broadcast, 
attack  will 

IMPACT  ALL  AMS 

served  by  the 
ABS 


Selective 
targeting  of 

specific  AMSes 
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VI.  OTHER  ATTACKS  WITH  IEEE  802.16M-2011 


As  noted,  IEEE  802.26m-2011  is  a  relatively  new  standard  that  is 
substantially  different  from  legacy  standards  and  warrants  a  reinvestigation  not 
only  new  vulnerabilities  but  also  whether  old  vulnerabilities  found  and  fixed  in 
legacy  standards  have  reemerged.  The  remaining  possible  vulnerabilities 
identified  within  IEEE  802.1 6m-201 1  are  examined  in  this  chapter. 

A.  MIMO  RELATED  ATTACKS 

1.  System  Configuration  Descriptor  (AAI-SCD) 

This  management  message  is  transmitted  by  the  ABS  at  a  periodic 
interval  to  define  a  system  configuration.  By  spoofing  the  AAI-SCD  message  with 
a  false  alpha  parameter  (indicating  the  number  of  receive  antennas),  an  AMS 
attempting  to  join  a  network  can  possibly  be  confused  as  to  the  actual  number  of 
receive  antennas  on  the  ABS  and  adopt  the  wrong  MIMO  scheme  as  well  as 
parameters  and  codes,  disrupting  communications.  Besides  changing  the  alpha 
parameter,  “Configuration  Change  Count”  in  the  AAI-SCD  also  needs  to  be 
incremented  by  1  modulo  16  whenever  the  contents  of  this  message  are 
changed.  This  is  to  ensure  that  the  AMS  parses  and  interprets  the  whole  AAI- 
SCD  message.  The  AMS  normally  ignores  the  rest  of  the  message  the  moment  it 
sees  that  “Configuration  Change  Count”  is  the  same  as  previously  received.  This 
attack  vector  was  developed  from  an  understanding  of  the  IEEE  standard  [15], 
section  16.2.3.31 . 

2.  Basic  Capability  Request  and  Response  (AAI-SBC-REQ  and 
AAI-SBC-RSP) 

AAI-SBC-REQ  is  transmitted  by  an  AMS  that  is  attempting  to  enter  the 
network.  It  contains  the  maximum  "capability  class"  that  the  AMS  can  support. 
Upon  receiving  the  AAI-SBC-REQ  management  message,  the  ABS  informs  AMS 
the  capability  class  to  adopt  through  the  AAI-SBC-RSP  management  message. 
One  attack  vector  that  may  adversely  affect  MIMO  performance  involves 
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spoofing  the  AAI-SBC-REQ  message  during  initial  network  entry,  indicating  a  low 
or  erroneous  figure  for  the  following  parameters:  “Maximum  number  of  streams 
for  Single-User  MIMO  (SU-MIMO)  in  DL  MIMO”,  “Maximum  number  of  streams 
for  CL  multi-user  MIMO  (MU-MIMO)  in  AMS  point  of  view  in  DL  MIMO”,  “DL 
MIMO  mode”,  and  “Number  of  Tx  Antenna  of  AMS.” 

This  is  expected  to  either  cause  the  ABS  to  issue  an  AAI-SBC-RSP 
message  with  instructions  to  the  AMS  for  a  MIMO  mode  below  the  capability  of 
the  AMS  or  to  disrupt  communications,  due  to  mode  and  parameter  mismatch. 

Alternatively,  an  attacker  can  issue  an  AAI_SBC-RSP  management 
message  with  MIMO  settings  that  do  not  match  those  requested  by  AMS.  As  a 
result,  a  mismatch  in  parameters  between  the  ABS  and  AMS  can  arise,  which 
disrupts  communications.  This  attack  vector  was  developed  from  an 
understanding  of  the  IEEE  standard  [15],  Sections  16.2.3.5  and  16.2.3.6. 

B.  FLOODING  ATTACKS 

1.  Ranging  Request  (AAI-RNG-REQ) 

This  possible  attack  involves  repeated  transmission  of  AAI-RNG-REQ 
messages  that  can  tie  up  ABS  resources  and  deny  entry  for  legitimate  AMSs. 
The  attack  is  possible  because  the  message  is  unprotected  by  either  ICV  or 
CMAC.  The  constraint  imposed  by  the  STID  and  MAPMask  seed  does  not  apply 
to  this  message,  as  it  is  sent  over  the  code-division  multiple  access  (CDMA) 
channel  allocated  to  the  AMS  during  ranging  and  network  entry.  This  attack 
vector  was  developed  after  investigating  the  IEEE  standard  [15],  Section  16.2.3. 

2.  Reset  Command  (AAI-RES-CMD) 

This  message  forces  an  AMS  to  reset  itself,  reinitialize  its  MAC  and  repeat 
initial  system  access.  This  message  was  previously  identified  as  a  vulnerability, 
and  authentication  was  added  to  protect  it.  However,  this  protection  merely 
restricts  the  window  of  application  from  any  time,  previously,  to  during  the 
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network  entry  process.  By  identifying  this  window  through  analysis,  this  message 
can  still  be  injected  to  deny  network  access  for  a  legitimate  AMS. 

The  window  of  opportunity  is  identified  to  be  after  completion  of  the 
ranging  process  (AMS  is  issued  with  TSTID)  and  before  establishment  of  a 
security  association  (after  which  all  messages  are  encrypted  and  authenticated). 
This  window  is  illustrated  in  Figure  53. 


Window  of 
opportunity 


Successful  attack 
forces  AMS  to 
restart  network 
entry 


Figure  51.  AAI-RES-CMD  insertion  window  (After  [15]  section  16.2.5.3.2). 

The  constraint  imposed  by  the  STID  and  MAPMask  seed  does  not  apply 
in  this  case  because  during  the  above  window  of  opportunity,  the  security 
association  is  not  ready  and  the  system  is  still  using  the  TSTID  and  MAPMask 
seed  issued  by  the  AAI-RNG-RSP  message.  The  AAI-RNG-RSP  message  is  not 
encrypted  at  this  stage,  and,  thus,  the  TSTID  and  MAPMask  seed  are  available 
to  an  attacker.  They  are  replaced  later  by  STID  and  a  new  MAPMask  seed  via 
the  AAI-REG-RSP  message  in  encrypted  form.  This  attack  vector  was  developed 
after  investigating  the  IEEE  standard  [15],  Sections  16.2.3.49  and  16.2.3. 


83 


C.  WATER  TORTURE  ATTACKS 

1.  Traffic  Indicator  (AAI-TRF-IND) 

AMSs  can  enter  the  sleep  mode  to  conserve  power  with  an  assigned 
SLPID  (sleep  ID).  Sleeping  AMSs  are  allocated  listening  windows  so  they  can 
wake  up  momentarily  to  listen  for  messages  destined  for  them.  An  AAI-TRF-IND 
message  is  a  broadcast  message  sent  by  one  ABS  to  indicate  to  a  group  of 
AMSs  with  the  same  SLPID  that  downlink  traffic  for  them  is  present  (see  Figure 
54  for  an  illustration  of  sleep  mode  operation).  With  a  negative  indication  of 
downlink  traffic,  the  AMS  returns  to  sleep  for  the  rest  of  the  listening  cycle,  saving 
power.  With  a  positive  indication  of  downlink  traffic,  the  AMS  remains  awake 
during  the  rest  of  its  listening  cycle.  By  repeatedly  spoofing  the  message  with  a 
positive  indication,  an  attacker  can  increase  battery  drain  on  AMSs  within  the 
cell.  This  vulnerability  has  been  identified  in  legacy  systems  in  [5],  [7],  and  [8], 
This  vulnerability  is  analyzed  to  be  still  present  within  IEEE  802.16m-201 1 .  The 
constraint  imposed  by  the  STID  and  MAPMask  seed  does  not  apply  to  this 
message,  because  it  is  a  broadcast  message.  This  attack  vector  was  verified 
after  investigating  the  IEEE  standard  [15],  Sections  16.2.3.27  and  16.2.3. 


Figure  52.  Illustration  of  sleep  mode  within  connected  state  (After  [14]). 
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2.  BS  Paging  Advertisement  (AAI-PAG-ADV) 

As  illustrated  in  Figure  55,  AMSs  can  enter  an  idle  state  from  the 
connected  state  to  conserve  power  and  can  be  in  paging-available  or  paging- 
unavailable  mode.  AAI-PAG-ADV  is  used  to  page  AMSs  within  a  paging  group, 
with  an  “action  code”  in  the  message  to  indicating  that  the  devices  need  to 
conduct  network  reentry  or  perform  ranging  to  update  the  ABS  of  their  locations. 
AAI-PAG-ADV  can  be  sent  to  force  AMSs  to  reenter  the  network  and  hence 
increase  battery  drain. 

The  constraint  imposed  by  the  STID  and  MAPMask  seed  does  not  apply 
in  this  case,  because  this  is  a  broadcast  message.  This  attack  vector  was 
developed  after  investigating  the  IEEE  standard,  [15]  Sections  16.2.3.23  and 
16.2.3. 
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Figure  53.  Illustration  of  operating  modes  within  idle  state  (After  [14]). 

D.  OTHER  GENERAL  MESSAGE  MODIFICATION  ATTACKS 
1.  Ranging  Response  (AAI-RNG-RSP) 

AAI-RNG-RSP  management  message  is  transmitted  by  ABS  in  response 
to  the  AAI-RNG-REQ  message.  It  can  also  be  transmitted  asynchronously  to 
send  corrections  after  measurements  are  calculated  based  on  other  received 
data/traffic.  One  attack  vector  proposed  by  Blair  [11]  is  to  spoof  the  message 
during  initial  network  entry  with  the  abort  flag  set.  This  is  expected  to  cause 
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ranging  to  be  aborted  and  the  network  entry  to  fail.  This  attack  vector  was 
verified  after  investigating  the  IEEE  standard  [15],  Sections  16.2.3.2  and  16.2.3. 

2.  Ranging  Acknowledge  (AAI-RNG-ACK) 

The  AAI-RNG-ACK  message  is  sent  by  the  ABS  in  response  to  the 
ranging  request  during  initial  ranging  to  provide  timing,  power,  and  frequency 
adjustments  to  the  AMS.  A  possible  attack  vector  is  to  spoof  this  message,  thus, 
disrupting  network  entry  of  the  AMS  since  the  parameters  are  wrong.  This  attack 
vector  was  developed  after  investigating  the  IEEE  standard  [15],  Sections 
16.2.3.3  and  16.2.3. 

3.  Basic  Capability  Request  and  Response  (AAI-SBC-REQ  and 
AAI-SBC-RSP) 

AAI-SBC-REQ  is  transmitted  by  an  AMS  which  is  attempting  to  enter  the 
network;  it  contains  the  maximum  "capability  class"  that  the  MS  can  support. 
Upon  receiving  the  AAI-SBC-REQ  management  message,  the  ABS  informs  AMS 
the  capability  class  to  adopt  through  the  AAI-SBC-RSP  management  message. 
One  attack  vector  proposed  by  Blair  [11]  is  to  spoof  the  AAI-SBC-REQ  message 
during  initial  network  entry,  indicating  a  low  or  nil  encryption/decryption  capability 
class.  This  is  expected  to  cause  the  ABS  to  adopt  a  low  or  nil  encryption  for  the 
connection  and  to  command  AMS  to  do  so  within  an  AAI_SBC-RSP. 

Alternatively,  an  attacker  can  spoof  an  AAI_SBC-RSP  management 
message  with  capability  classes  that  match  neither  those  requested  by  AMS  nor 
those  instructed  by  ABS.  As  a  result,  a  mismatch  in  parameters  between  ABS 
and  AMS  can  arise,  thus,  disrupting  communications.  This  attack  vector  was 
developed  after  investigating  the  IEEE  standard  [15],  Sections  16.2.3.5,  16.2.3.6, 
and  16.2.3. 
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4.  Neighbor  Advertisement  (AAI-NBR-ADV) 

The  AAI-NBR-ADV  management  message  is  broadcast  by  an  ABS  to 
provide  channel  information  about  neighboring  BSs.  An  attacker  can  spoof  AAI- 
NBR-ADV  with  a  fake  BS  or  falsely  report  poor  characteristics  of  neighboring 
ABSs  to  hamper  AMSs  from  initiating  handover  to  an  ABS  with  better 
characteristics.  This  vulnerability  was  identified  for  the  legacy  standard  [7  and  8] 
and  still  exists  in  802.16m-201 1 .  This  attack  vector  was  verified  after 
investigating  the  IEEE  standard  [15],  Sections  16.2.3.13  and  16.2.3. 

5.  Location-based  Service  Advertisement  (AAI-LBS-ADV) 

An  ABS  that  supports  Location  Based  Services  (LBS)  uses  the  AAI-LBS- 
ADV  message  to  broadcast  LBS  related  configuration  information.  The  ABS  may 
broadcast  the  message  periodically  without  solicitation.  The  message  provides 
the  AMS  with  the  geo-location  of  neighboring  ABSs  which  can  be  used  by  the 
AMS  for  triangularization  or  trilaterization  to  determine  location.  The  message 
also  contains  time  and  frequency  information  to  improve  GPS  receiver 
performance  on  the  AMS  [14].  If  both  ABS  and  AMS  support  LBS  in  the  network, 
it  may  be  possible  to  spoof  AAI-LBS-ADV  with  the  wrong  latitude  and  longitude 
coordinates  for  the  serving  ABS  and  the  neighboring  ABSs;  by  doing  this,  it  will 
confuse  the  AMS  of  its  own  location  and,  thus,  degrade  the  GPS’s  performance. 
Alternatively,  since  the  physical  locations  of  all  the  ABSs  in  the  area  are  available 
in  the  message,  the  ABSs  are  prone  to  physical  attack,  resulting  in  permanent 
network  damage.  This  attack  vector  was  developed  after  investigating  the  IEEE 
standard  [15],  Sections  16.2.3.62  and  16.2.3. 
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VII.  ATTACKS  ON  LEGACY  SYSTEMS 


Attacks  on  the  legacy  systems  are  significantly  easier  due  to  two  factors. 
The  first  factor  is  that  UL  and  DL  MAPs  are  available;  thus,  besides  attacking  the 
broadcast  messages,  the  unicast  messages  can  also  be  targeted.  The  second 
factor  is  that  the  legacy  control  messages  are  not  encrypted  since  the  ICV  is  only 
implemented  for  IEEE  802.16m-201 1 .  This  makes  obtaining  network  information 
significantly  easier.  The  following  subsections  discuss  some  of  the  possible 
vulnerabilities. 

A.  ADVANCED  ANTENNA  SYSTEM  (AAS)  RELATED  ATTACKS 

The  advanced  antenna  system  (AAS)  is  a  multiple-antenna  scheme,  that 
allows  beam  forming  using  adaptive  array  techniques.  An  AAS_Beam_Select 
message  can  be  sent  by  the  MS  to  inform  the  BS  about  a  preferred  beam.  This 
message  may  be  spoofed  to  change  the  preferred  beam  and  cause  disruption  in 
communications.  This  attack  vector  was  developed  after  investigating  the  IEEE 
standard  [13],  Sections  6.3.2.3.36  and  1 1.1.2. 

B.  POWER  RELATED  ATTACKS 

1.  Fast  Power  Control  (FPC) 

FPC  is  a  control  message  used  by  BS  to  adjust  power  levels  of  multiple 
MSs.  As  identified  in  previous  literature  [8],  by  spoofing  this  message,  an 
attacker  can  reduce  or  increase  MS  transmission  power,  which  ranges  from  +32 
dB  to  -32  dB,  in  steps  of  0.25  dB.  If  the  power  level  is  reduced,  the  BS  is  unable 
to  receive  the  transmission.  If  the  power  level  is  increased,  excessive 
interference  can  result  [8],  This  is  equivalent  to  the  AAI-ULPC-NI  message  in  the 
IEEE  802.16m  standard.  This  attack  vector  was  verified  after  investigating  the 
IEEE  standard  [13],  Section  6.3.2.3.34  and  1 1.1.2. 
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C.  ARQ  RELATED  ATTACKS 


ARQ  related  control  messages  are  not  protected,  and  several  messages 
can  be  spoofed  to  disrupt  error-control  operations.  Some  of  the  ARQ  attacks  are 
discussed  in  the  following  subsections. 

1.  ARQ-Feedback 

This  standalone  ARQ  feedback  message  can  be  used  to  signal  any 
combination  of  different  ARQ  ACKs  (cumulative,  selective,  selective  with 
cumulative).  By  listening  and  transmitting  spoofed  ARQ-feedback  messages,  it 
may  be  possible  to  misalign  ARQ  sequences  between  the  BS  and  MS,  thus, 
disrupting  communications.  This  attack  vector  was  developed  after  investigating 
the  IEEE  802.16-2009  standard  [13],  Sections  6.3.2.3.30  and  11.1.2. 

2.  ARQ-Discard 

The  transmitter  sends  the  ARQ-Discard  control  message  when  it  wants  to 
skip  a  certain  number  of  ARQ  blocks  in  the  ARQ  transmission  window.  By 
listening  and  transmitting  spoofed  ARQ  discard  messages,  it  is  possible  for  an 
attacker  to  misalign  ARQ  sequences  between  the  BS  and  MS,  thus,  disrupting 
communications.  This  attack  vector  was  developed  after  investigating  the  IEEE 

802.16-2009  standard  [13],  Sections  6.3.2.3.31  and  11.1.2. 

3.  ARQ-Reset 

This  control  message  is  sent  by  the  transmitter  or  the  receiver  of  an  ARQ- 
enabled  transmission  to  reset  the  parent  connection's  ARQ  transmitter  and 
receiver  state  machines.  As  identified  in  previous  literature,  by  spoofing  ARQ- 
reset,  an  attacker  can  misalign  ARQ  sequences  between  the  BS  and  MS  [6], 
This  attack  vector  was  verified  after  investigating  the  IEEE  802.16-2009 
Standard  [13],  sections  6.3.2.3.32  and  1 1 .1 .2. 
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D.  MIMO  RELATED  ATTACKS 

The  BS  can  set  up  long-term  MIMO  precoding  with  feedback  with  a 
particular  MS  by  sending  a  “long-term  MIMO  precoding”  (PRC-LT-CTRL) 
message.  This  message  can  be  spoofed  to  turn  on/off  a  long-term  MIMO 
precoding  with  feedback,  as  well  as  to  set  a  precoding  application  delay,  with  the 
objective  of  causing  a  mismatch  between  the  BS  and  MS  to  disrupt 
communications.  This  attack  vector  was  developed  after  investigating  the  IEEE 
802. 1 6-2009  standard  [1 3]  Section  6.3.2.3.56  and  11.1.2. 

E.  FLOODING  ATTACKS 

1.  Ranging  Request  (RNG-REQ) 

This  possible  form  of  attack  involves  repeated  transmission  of  RNG-REQ 
messages  for  initial  ranging  to  tie  up  ABS  resources  and  deny  entry  for  legitimate 
MSs.  This  attack  is  possible  because  this  message  is  unauthenticated  during  the 
initial  network  entry.  This  attack  vector  was  developed  after  investigating  the 
IEEE  802.16-2009  standard  [13],  Sections  6.3.2.3.5  and  11.1.2. 

2.  Reset  Command  (RES-CMD) 

The  RES-CMD  message  forces  an  MS  to  reset  itself,  reinitialize  its  MAC, 
and  repeat  the  initial  system  access.  This  message  was  previously  identified  as  a 
vulnerability  and  authentication  was  added  to  protect  it.  However,  this  protection 
merely  restricts  the  window  of  application  from  any  time,  previously,  to  during 
network  entry  period.  Hence,  the  RES-CMD  message  can  still  be  injected  during 
this  small  window  to  deny  network  access  for  a  legitimate  MS. 

The  window  of  opportunity  is  identified  to  be  between  after  completion  of 
the  ranging  process  and  before  the  establishment  of  a  security  association  (after 
which  applicable  messages  will  be  encrypted  and  authenticated).  This  attack 
vector  was  developed  from  an  understanding  of  the  IEEE  802.16-2009  standard 
[13],  sections  6.3.2.3.22  and  1 1 .1 .2. 
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F.  WATER  TORTURE  ATTACKS 

1.  Traffic  Indication  (MOB-TRF-IND) 

MSs  can  enter  sleep  mode  to  conserve  power  with  an  assigned  SLPID 
(sleep  ID).  The  sleeping  MSs  are  allocated  listening  windows  so  they  can  wake 
up  momentarily  to  listen  for  messages  destined  for  them.  Like  the  AAI-TRF-IND 
message  introduced  earlier,  the  MOB-TRF-IND  message  is  a  broadcast 
message  sent  by  the  BS;  it  indicates  the  presence  of  downlink  traffic  to  a  group 
of  AMSs  that  have  the  same  SLPID  (see  Figure  50  for  an  illustration  of  the  sleep 
mode  operation).  With  a  negative  indication  of  the  downlink  traffic,  the  MS 
returns  to  sleep  for  the  rest  of  the  listening  cycle  to  conserve  power.  With  a 
positive  indication  of  the  downlink  traffic,  the  MS  remains  awake  during  the  rest 
of  its  listening  cycle.  By  repeatedly  spoofing  the  MOB-TRF-IND  message  with  a 
positive  indication,  an  attacker  can  increase  battery  drain  on  MSs  within  the  cell. 
This  vulnerability  has  been  identified  for  legacy  systems  in  [5],  [7],  and  [8]  and 
was  verified  after  investigating  the  IEEE  802.16-2009  standard  [13],  Sections 
6.3.2.3.41  and  11.1.2. 

2.  BS  Broadcast  Paging  (MOB-PAG-ADV) 

The  MOB-PAG-ADV  (the  predecessor  of  AAI-PAG-ADV)  message  can  be 
used  to  page  MSs  in  idle  mode  (to  conserve  power)  to  trigger  them  to  join  the 
network.  The  message  can  be  spoofed  to  cause  an  MS  to  increase  its  battery 
drain.  This  attack  vector  was  developed  after  investigating  the  IEEE  802.16-2009 
standard  [13],  Sections  6.3.2.3.51  and  11.1.2. 

G.  OTHER  GENERAL  MESSAGE  MODIFICATION  ATTACKS 

1.  UL  Channel  Descriptor  (UCD),  Downlink  Channel  Descriptor 
(DCD),  UL-MAP  and  DL-MAP 

The  UCD,  DCD,  UL-MAP  and  DL-MAP  together  serve  to  define  the  UL 
and  DL  channels.  Modification  or  scrambling  of  these  unprotected  management 
messages  result  in  disruption  of  communications.  This  attack  vector  was 
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developed  after  investigating  the  IEEE  802.16-2009  standard  [13],  Sections 
6. 3.2. 3.3,  6.3.2.3.1,  6.3.2. 3.2,  6.3.2.3.4,  and  11.1.2. 

2.  Multicast  Assignment  Request  (MCA-REQ) 

As  identified  in  previous  literature  [8],  an  attacker  can  spoof  a  multicast 
assignment  request  message  (MCA-REQ)  to  remove  an  MS  from  Multicast 
Polling  Group.  If  an  MS  is  removed  from  a  polling  group,  it  has  to  use  the 
mandatory  contention  based  bandwidth-allocation  algorithm,  which  results  in  a 
greater  uplink  delay.  This  attack  vector  was  verified  after  investigating  the  IEEE 
802.16-2009  standard  [13],  Sections  6.3.2.3.18  and  1 1 .1 .2. 

3.  Downlink  Burst  Profile  Change  Request  (DBPC-REQ) 

The  DBPC-REQ  management  message  is  sent  by  the  MS  to  the  BS  on 
the  MS  basic  CID  channel  to  request  a  change  in  the  downlink  burst  profile  used 
by  the  BS  to  transport  data  to  the  MS.  As  identified  in  previous  literature  [8],  an 
attacker  can  spoof  this  message  to  change  the  profile  to  one  with  higher  speed 
but  less  robust.  This  can  result  in  high  bit  error  rates.  The  attack  vector  was 
verified  after  investigating  the  IEEE  802.16-2009  standard  [13],  Sections 
6.3.2.3.20  and  11.1.2. 

4.  Network  Clock  Comparison  (CLK-CMP) 

For  service  flows  carrying  information  that  requires  the  MSs  to  reconstruct 
the  network  clock,  CLK-CMP  messages  are  periodically  broadcasted  by  the  BS. 
An  attacker  may  spoof  the  CLK-CMP  messages  to  misalign  MS/BS  clocks.  This 
attack  vector  was  developed  after  investigating  the  IEEE  802.16-2009  standard 
[13],  Sections  6.3.2.3.25  and  1 1.1.2. 

5.  Neighbor  Advertisement  (MOB-NBR-ADV) 

The  MOB-NBR-ADV  management  message  is  broadcast  by  a  BS  to 
provide  channel  information  about  neighboring  BSs,  which  is  normally  provided 
within  DCD/UCD  message  transmissions.  The  attacker  can  spoof  MOB_NBR- 
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ADV  message  with  a  fake  BS  or  falsely  report  poor  characteristics  of  neighboring 
BSs  to  hamper  MSs  from  initiating  handover  to  a  BS  with  better  characteristics. 
This  vulnerability  was  previous  identified  [7  and  8],  This  attack  vector  was  verified 
after  investigating  the  IEEE  802.16-2009  standard  [13],  Sections  6.3.2.3.42  and 
11.1.2. 
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VIII.  CONCLUSION  AND  RECOMMENDATIONS 


A.  CONCLUSIONS 

Possible  security  weaknesses  for  both  the  legacy  WiMAX  standard  and 
IEEE  802.16m-2011  were  examined  in  this  thesis.  To  assist  the  reader,  a 
summary  of  key  aspects  of  the  standard  was  provided,  with  appropriate 
emphasis  on  areas  relevant  to  understanding  the  discussion. 

The  IEEE  802.16  has  come  a  long  way  in  terms  of  capability  and  security. 
Early  identified  vulnerabilities  stemmed  from  one  key  weakness:  a  lack  of 
authentication  and  encryption  for  control  messages.  This  was  addressed 
progressively  through  adoption  of  authentication  for  some  of  these  messages. 
While  IEEE  802.16-2009  offered  significant  improvements  over  its  predecessors, 
a  number  of  control  messages  remain  unauthenticated  and  unencrypted.  In 
addition  to  the  vulnerabilities  identified  in  previous  literature,  twelve  additional 
attack  vectors  using  control  messages  were  proposed  in  this  thesis.  These 
vulnerabilities  can  be  categorized  as  transmission  power  attacks,  MIMO  related 
attacks,  flooding  or  denial-of-service  attacks,  water  torture  attacks,  ARQ  related 
attacks,  advanced  antenna  system  related  attacks,  and  other  miscellaneous 
attacks. 

IEEE  802.16m-2011  is  a  significant  revision  (with  a  new  set  of  control 
messages  introduced),  structurally  enhanced  to  increase  privacy  as  well  as  raise 
barriers  to  attacks  while  maintaining  backward  compatibility  with  legacy 
standards.  By  introducing  encryption  for  the  first  time  for  some  control  messages, 
the  new  standard  reduces  exposure  of  system  operating  information  that  may  be 
used  against  it.  More  significantly,  by  scrambling  the  A-MAPs  using  secret  initial 
vectors  exchanged  securely  during  security  negotiations  upon  network  entry,  the 
passive  listener  will  have  difficulty  identifying  how  radio  resources  are  allocated. 
This  effectively  prevents  exploitation  of  all  unicast  control  messages  and 
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enhances  privacy.  Nonetheless,  broadcast  control  messages  are  still  open  to 
exploitation,  with  a  significant  number  of  vulnerabilities  in  IEEE  802.16-2009  still 
existing  in  this  revision. 

The  review  of  the  new  control  message  set  in  this  thesis  yielded  thirteen 
attack  vectors  not  discussed  in  previous  literatures.  These  vulnerabilities  can  be 
categorized  as  transmission  power  attacks,  MIMO  related  attacks,  flooding  or 
denial-of-service  attacks,  water-torture  attacks,  and  other  miscellaneous  attacks. 

The  outlook  of  the  standard  in  terms  of  control  channel  security  is 
summarized  in  Table  15. 


Table  1 5.  Summary  of  WiMAX  security  outlook. 


IEEE  802.16-2009 

IEEE  802.16m-2011 

Security 

Features 

Offers  significant  improvements 
over  older  standards 

Structurally  enhanced  to 
increase  privacy  and  barrier  to 
attacks  on  unicast  traffic 

DL-MAP  and  UL-MAP  scrambled 

with  known  seed 

Assignment  A-MAP  for  unicast 
traffic  scrambled  with  secret 

seed 

Some  Control  Messages 
authenticated 

Besides  Authentication,  Some 
Control  Messages  encrypted 

Vulnerabilities 

While  some  security 
vulnerabilities  were  eliminated 
through  authentication,  those 
messages  which  were  not 
remain  as  prime  attack  vectors 
for  the  standard 

Although  scope  for  attack  is 
reduced,  significant  vectors  still 
exist  for  attacks,  primarily 
unauthenticated  broadcast 
messages  as  well  as  exchanges 
during  network  entry 

18  vulnerabilities  including  12 
not  previously  discussed 

15  vulnerabilities  including  13 
not  previously  discussed 

B.  RECOMMENDATIONS 

The  emphasis  of  this  thesis  was  to  examine  the  IEEE  802.16m-2011 
standard  and  the  legacy  standard  for  vulnerabilities.  Nonetheless,  drawing  from 
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the  preceding  conclusions,  there  are  two  key  areas  that  require  further  work,  and 
the  findings  in  this  thesis  serve  to  highlight  the  urgency. 

1.  Protection  of  Broadcast  Control  Messages 

We  see  that,  although,  most  unicast  control  messages  were  progressively 
protected  through  authentication  and/or  encryption  over  the  years,  all  broadcast 
messages  were  left  unprotected  till  the  present. 

A  common  symmetrical  key  system  can  be  selected  by  the  BS  and 
distributed  to  all  MSs  during  network  entry  and  periodically  in  a  secure  manner. 
This  key  can  be  used  to  decrypt  broadcast  messages  encrypted  by  the  BS  using 
the  same  key.  Though  a  symmetrical  key  has  its  own  set  of  limitations, 
especially,  in  terms  of  key  management,  this  is  far  superior  than  to  leave  all 
broadcast  control  messages  in  the  plain. 

2.  Protection  of  Network  Entry  Process 

Another  significant  area  where  we  found  a  number  of  vulnerabilities  is  the 
network  entry  process,  especially  before  the  establishment  of  security 
association.  This  lack  of  protection  makes  it  possible  for  spoofed  control 
messages  like  AAI-RES-CMD  to  be  inserted  to  reset  the  MAC,  thus,  interrupting 
network  entry.  Various  forms  of  the  Diffie-Hellman  key  exchange  protocol  have 
been  proposed  to  provide  some  form  of  interim  protection  to  secure  the  initial 
ranging  and  capability  negotiation  processes  [10],  [11], 

C.  FUTURE  WORK 

1 .  Further  Expanding  Scope  of  Vulnerability  Analysis 

No  security  analysis  can  be  comprehensive,  especially  with  a  standard  as 
complex  as  the  IEEE  802.16.  There  will  always  be  room  to  analyze  the  standard 
further  to  uncover  more  vulnerabilities.  The  focus  of  this  thesis  was  confined  to 
that  of  control  and  management  messages  in  the  context  of  a  single  cell 
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operation.  Further  research  can  be  performed  with  the  focus  and  scope  shifted  to 
other  aspects  or  modes  of  operation,  such  as  handover. 

2.  Study  of  Means  of  Working  around  the  Scrambling  of 
Assignment  A-MAP 

With  IEEE  802.16m-201 1 ,  the  assignment  A-MAP,  which  contains 
information  on  resource  allocation  within  each  frame,  is  scrambled  using  the 
AMS’s  STID  and  a  binary  sequence  generated  by  a  pseudo-random  binary 
sequence  (PRBS)  generator.  The  PRBS  generator  is  initialized  with  a  vector 
passed  to  the  AMS  by  the  ABS  in  a  secure  manner  during  network  entry.  As  a 
result,  an  attacker  will  not  be  able  to  ascertain  how  resources  are  allocated  within 
the  frame  or  identify  recipients.  This  effectively  renders  all  attacks  using  unicast 
control  messages  infeasible.  If  there  is  an  effective  means  to  overcome  or  work 
around  this,  the  AAI-UL-POWER-ADJ  message  (described  in  Section  V.C.2)  can 
be  used  to  manipulate  an  AMS’s  transmission  power  individually.  This  capability 
will  complement  that  of  AAI-ULPC-NI  message  spoofing,  which  is  used  to 
manipulate  the  transmission  power  for  all  AMSs  in  the  cell. 
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